Achieving BSI IT Grundschutz compliance

We asked one of our German partners, SVA, what are the biggest security challenges in their region. The answer was pretty clear: BSI IT-Grundschutz. Are you considering this security framework for your company? Does your team need to implement it? In this article you’ll find all the information you need to keep your environment BSI IT-Grundschutz compliant. 

Introduction to BSI IT-Grundschutz

Customers who have to deal with BSI IT-Grundschutz should understand that BSI IT-Grundschutz is a set of rules that describes the secure operation of IT infrastructures. A comprehensive definition can be found on Wikipedia:

"IT-Grundschutz is a procedure developed by the Federal Office for Information Security to identify and implement security measures of the company's own information technology. The goal of basic protection is to achieve a medium, appropriate and sufficient level of protection for IT systems. To achieve this goal, the IT basic protection catalogues recommend technical security measures and infrastructural, organisational and personnel protection measures."

Why should companies be concerned with BSI IT-Grundschutz?

There are many reasons why companies should orientate themselves on BSI IT-Grundschutz when it comes to IT security. A very suitable description can be found on the website of the BSI itself:

"Nowadays it is essential for companies and authorities that information is correct and is treated confidentially. It is also correspondingly important that the technical systems on which information is stored, processed or transmitted function smoothly and are effectively protected against a wide range of constantly new types of threats." 

The BSI provides a useful framework, which companies can use as a guide when introducing an IT security concept. Since not all companies/areas have identical security requirements, the BSI IT-Grundschutz offers different protection classes (protection requirements) that can be applied. One of the specifications of IT-Grundschutz is to keep the costs of the measures within a reasonable range and to make full use of the possibilities offered, for example, by the manufacturers of operating systems.

Some companies and authorities must prove that sufficient measures have been taken to ensure information security. This proof is easier if these companies and authorities have set a standard such as basic IT protection. The individual measures of IT-Grundschutz are described in the ‘IT-Grundschutz-Kompendium’.

Do BSI Standards Apply Outside of Germany?

The short and quick answer is: YES.

Much like companies both within and outside the European Union were not long ago (and are possibly still) confused about the EU’s General Data Protection Regulation, or GDPR, and its ramifications for companies operating outside the EU, the BSI Standards have also been an area where ambiguity remains.

An ISO certification based on the BSI IT-Grundschutz is necessary for all organizations that have customers in the public or legal sectors in Germany.

(We wrote more about this in an earlier blog post here.)

Audit of IT-Grundschutz

The introduction of the BSI IT basic protection measure in an authority or company is an essential component, but here the ‘permanent’ review and guarantee of the selected security settings must be regularly checked and possibly adjusted. In dynamic environments, such as a virtualization environment with VMware vSphere, unwanted settings can quickly occur during operation because the administrators may make adjustments to the configuration during troubleshooting that do not meet the requirements of basic IT protection.

Continuous scanning of VMware vSphere environments with Runecast

Once the initial configuration of the IT-Grundschutz is complete, companies and authorities should consider how they can check the basic protection without having to resort to manual lists/Excel tables. For virtual VMware environments, the Runecast Analyzer is a tool that can analyze the entire VMware environment. The analysis and review of the IT baseline protection is a module that can be selected. Primarily, Runecast Analyzer supports customers in scanning their entire VMware vSphere environment for possible problems and in locating and solving problems before they become a problem in the virtual infrastructure.

In this blog post we will primarily focus on the IT-Grundschutz module. Before the IT-Grundschutz module can be used, it must be first activated.


Afterward, you can access the "Security Compliance | BSI IT-Grundschutz" page via the side menu. All settings that are not IT-Grundschutz compliant are displayed here directly.

For each entry you can check which IT-Grundschutz module the entry refers to and there is also a web source link to read about it.

The list can also be filtered by "Building Block" and also by categories.

The IT-Grundschutz Catalogue is adjusted if necessary, and Runecast Analyzer is updated regularly with such changes. The IT department can thus show and define exactly what the status of the systems is at any time and take measures to restore the security standard if necessary.


Try Runecast Analyzer in your own IT environment

Get a free 14-day trial of Runecast, analyze your environment, and enjoy automated scans that both remove manual work and ensure continuous audit readiness. In case you want to speak directly with an authority in the German region, please contact us and we will put you in contact with our partner.

Download Free Trial

Never miss new blog post!