IT basic protection

BSI IT Baseline Protection

Let's take a look at how the BSI IT Baseline Protection Compendium is structured and which modules are necessary for building the ISMS and securing the information technology in use. The IT Baseline Protection Compendium (2022) is available for free download to everyone.

The IT Baseline Protection of the German Federal Office for Information Security (BSI) is a defined approach to protect an organization's information. It is designed to help companies, authorities, and municipalities identify and implement necessary security measures in a structured way.

IT Baseline Protection approach

The goal of the prescribed approach is to achieve an appropriate and sufficient level of protection for your information. You achieve this through:

• The system modules for securing your IT infrastructure and the building
• The process modules for implementing organizational regulations

According to the defined approach, the following steps must be carried out:

• Definition of the information network
• Conducting an IT structure analysis
• Conducting a protection needs assessment
• Modeling the modules onto your components
• Conducting a basic security check
• Conducting a supplementary security analysis (possibly followed by a subsequent risk analysis)
• Consolidation of the measures
• Implementation of the IT baseline protection measures
  

Distinction from ISO 27001

The key difference from the international ISO/IEC 2700x standard series is that IT Baseline Protection does not rely on a detailed, individual risk analysis with distinctions based on likelihood of occurrence and impact. Instead, it assumes general threats to IT systems and defines standard methods and measures based on these, covering various areas such as personnel, buildings, software, hardware, organization, and communication networks. Baseline Protection thus provides a kind of framework for implementing a normal level of protection.

The IT Baseline Protection framework is based on the assumption that individual analyses (individual identification of assets to be protected) and customized security concepts are too complex for applications with a normal protection requirement. Instead, it is intended to enable even less technically experienced individuals to identify the necessary measures and initiate their implementation.

Nevertheless, even with IT Baseline Protection, it is necessary—within the scope of the protection needs assessment—to individually estimate the potential damages for each IT system that could result from a compromise of confidentiality, integrity, or availability, in order to determine the appropriate protection category and thus the actual protection requirement.

What can go wrong?

Of course, not all projects are always as clear and simple as they should be. There are some pitfalls we would be happy to help you avoid.

When implementing the ISMS, different departments work together. Management should initiate the process. The participants pursue different goals in the project. For example, company leadership usually values a resource-saving, effective approach. The IT department prefers to keep the additional effort within limits.

• What can you contribute as an information security officer to meet the needs of all parties?
• Does a tool have to be used from the very beginning?
• How are the requirements from the guidelines made mandatory for employees to acknowledge?
• Does management have to sign all the documents?
• Moving away from paper toward a digital process – how can you make that happen?
• Long passwords, two-factor authentication, and locked office rooms. What can be done if employees' understanding of the extra effort leaves much to be desired?

When implementing the IT Baseline Protection approach, it can be helpful to seek external expertise. Many steps can thus be specifically guided to lead the project to success.

We are happy to assist you with all these questions.