If you work in security (or perhaps even just in any sort of international business capacity), you’ve probably heard references to ‘BSI Standards’. You may have even done a web search to learn what BSI is — whether it affects you, your team, or your organization — and learned that it’s an acronym for the German Federal Office for Information Security. And if you did any of that, you likely also saw references to ‘IT-Grundschutz’, meaning ‘IT baseline protection’.
What are BSI Security Standards
According to the English-language version of the German agency’s website:
“The BSI Standards contain recommendations by the Federal Office for Information Security (BSI) on methods, processes, procedures, approaches and measures relating to information security. For this the BSI addresses issues that are of fundamental importance for information security in public authorities and companies and for which appropriate, practical, national or international approaches have been established.”
On that site, you can find technical guidelines and downloads for each of the standards, as well as additional information regarding compliance with the regulations listed, for example:
- BSI Standard 100-1 Information Security Management Systems (ISMS)
- BSI-Standard 100-2: IT-Grundschutz Methodology
- BSI-Standard 100-3: Risk Analysis based on IT-Grundschutz
- BSI-Standard 100-4: Business Continuity Management
In addition to regulatory compliance as an end goal, BSI Standards can be thought of in the larger sense as consumer-protection laws, as they can also be used to help companies provide products that are more secure. We see this in the case of the BSI commending Firefox as most secure among available browsers tested (covered by ZDNet):
Germany's BSI tested Firefox, Chrome, IE, and Edge. Firefox was only browser to pass all minimum requirements for mandatory security features.
— By Catalin Cimpanu for Zero Day | October 17, 2019
And now for the (potentially) million-dollar question...
Do BSI Standards Apply Outside of Germany?
The short and quick answer is: YES.
Much like companies both within and outside the European Union were not long ago (and are possibly still) confused about the EU’s General Data Protection Regulation, or GDPR, and its ramifications for companies operating outside the EU, the BSI Standards have also been an area where ambiguity remains.
German company Global Access Internet Services GmbH describes it thus:
"...whoever would like to make a bid on projects within the public and legal sectors of Germany, will rarely be able to get around having a BSI baseline protection certificate. In line with this, the Federal Ministry of the Interior (Bundesministerium des Inneren – BMI) has set the BSI baseline protection catalogue as its benchmark for its National Action Plan 2017 for public authorities. Should security relevant information or processes be outsourced (for example stored in the cloud), than an ISMS, based on IT baseline protection, is indeed mandatory."
That is, an ISO certification based on the BSI baseline protection (IT-Grundschutz) is necessary for all organizations that have customers in the public or legal sectors in Germany.
An auditor at EY told Runecast, regarding the value of BSI for non-german clients: “IT Service providers with clients in Germany should also be implementing IT-Grundschutz if their clients require it or at least have their own controls mapped to it.”
Note: This applies to ANY SECTOR — even though public and legal sectors are already required to comply. It makes no difference whether you are a German or non-German service provider, these laws apply.
Don’t Worry, Runecast to the Rescue
In October 2019, Runecast Analyzer released BSI Security Standards (BSI IT-Grundschutz) automation with its version 3.1, for continuous audits against the BSI Standards.
Runecast CEO Stanimir Markov (VCDX #74) and Product Owner Robert Bergner provided an introductory webinar on how best to ensure BSI IT-Grundschutz compliance for virtualized data centers:
Webinar: BSI IT-Grundschutz Automation within Runecast Analyzer
Let Runecast be your guide to virtualized data-center stability. Get a free 14-day trial, analyze your environment, and enjoy automated scans that remove manual work and ensure continuous audit readiness — even against German cybersecurity authorities.