BSI IT-Grundschutz as Implementation Framework

Why BSI IT-Grundschutz Matters for Critical Infrastructure Operators

For operators of critical infrastructure in Germany, proving adequate information security to the Federal Office for Information Security (BSI) is not optional. Under Section 8a of the BSI Act (BSIG), KRITIS operators must demonstrate the state of the art in cybersecurity every two years. The question is not whether you need a security framework but which one delivers both regulatory acceptance and operational value. BSI IT-Grundschutz is the answer for the vast majority of utilities, energy providers, water works, and waste management companies across the DACH region.

IT-Grundschutz is recognized by BSI as an industry-specific security standard (B3S) and accepted as evidence for KRITIS compliance audits. A BSI IT-Grundschutz certificate, issued based on ISO 27001, satisfies the requirements of Section 8a BSIG directly. For operators that already need to comply with KRITIS regulations, IT-Grundschutz provides a structured, comprehensive, and well-documented path to demonstrable compliance. Unlike generic frameworks, IT-Grundschutz was developed specifically for the German regulatory landscape and addresses the concrete threat scenarios that utilities and infrastructure operators face every day.

The practical advantage for utilities is significant: BSI publishes detailed implementation guidance for every single control, reducing the guesswork that plagues organizations trying to interpret abstract ISO 27001 clauses. When an auditor arrives, both sides speak the same language. The IT-Grundschutz Compendium defines exactly what "adequate protection" means for specific system types, network architectures, and operational processes.

The IT-Grundschutz Compendium: Modules and the Layer Model

The IT-Grundschutz Compendium is the core of the framework. It organizes security requirements into modules (called "Bausteine" in German), each addressing a specific aspect of information security. These modules are grouped into ten layers that cover the entire scope of an organization's IT and OT landscape. Understanding this structure is essential for efficient implementation, particularly when you need to map controls to your specific infrastructure.

• ISMS (Information Security Management System) covers the governance layer: security policies, roles and responsibilities, security organization, and continuous improvement processes. This layer aligns directly with ISO 27001 clauses 4 through 10.
• ORP (Organization and Personnel) addresses organizational measures such as human resources security, awareness training, rights and permissions management, and handling of security-relevant information by staff.
• CON (Concepts) provides overarching security concepts including cryptography, data protection, data backup, deletion and destruction, and software development security.
• OPS (Operations) deals with operational security: patch management, malware protection, logging and monitoring, and administration of IT systems. For utilities managing SCADA environments alongside office IT, this layer is where IT/OT convergence requirements are defined.
• DER (Detection and Response) covers incident detection, security incident management, forensic analysis, and APT (Advanced Persistent Threat) handling. This module is particularly relevant for KRITIS operators who must report incidents to BSI.
• APP (Applications) secures business applications, web servers, databases, email systems, directory services, and specialized applications including industrial control system interfaces.
• SYS (IT Systems) covers servers, clients, mobile devices, network components, and virtualization platforms. For energy providers, this includes the systems running control center applications.
• NET (Networks) addresses network architecture, segmentation, firewalls, VPN, WLAN, and network management. Proper segmentation between IT and OT networks is a critical requirement for KRITIS environments.
• INF (Infrastructure) covers physical security: buildings, data centers, server rooms, cabling, mobile workplaces, and technical facilities. For water works and waste management plants, this includes remote facilities and unmanned substations.
• IND (Industrial IT) is the newest layer, specifically addressing industrial control systems, process control technology, and OT security. This is the module set that makes IT-Grundschutz uniquely valuable for critical infrastructure operators compared to generic security frameworks.

Each module contains specific requirements categorized as "basic," "standard," or "elevated." This tiered approach allows organizations to start with essential protections and systematically raise their security posture over time. For a water utility with limited IT staff, this means you can achieve a defensible baseline quickly and then expand your scope as resources allow.

Choosing the Right Approach: Basic, Standard, and Core Protection

BSI IT-Grundschutz offers three distinct approaches to information security, each designed for different organizational maturity levels and protection requirements. Choosing the right one is the first strategic decision in your IT-Grundschutz journey.

Basic Protection (Basis-Absicherung)

Basic Protection implements the essential security requirements from every applicable IT-Grundschutz module. It provides a broad but foundational level of security across the entire organization. This approach is suitable as an entry point for smaller utilities that are beginning their information security journey. It covers the "must-have" controls and establishes a minimum security baseline. However, Basic Protection alone is generally not sufficient for KRITIS compliance because the BSI Act requires demonstrating state-of-the-art security, which typically demands a higher protection level.

Standard Protection (Standard-Absicherung)

Standard Protection builds on Basic Protection and adds the "standard" requirements from each module. This is the approach that most KRITIS operators should target. It provides comprehensive security coverage and is the basis for BSI IT-Grundschutz certification. A completed Standard Protection implementation, verified through a BSI audit, results in the "ISO 27001 Certificate based on IT-Grundschutz," which is accepted as evidence under Section 8a BSIG. For energy providers, water works, and waste management companies, Standard Protection strikes the right balance between thorough security and manageable implementation effort.

Core Protection (Kern-Absicherung)

Core Protection takes a different approach: instead of covering the entire organization, it focuses exclusively on the most critical business processes and assets, the so-called "crown jewels." For a KRITIS operator, these are typically the systems that directly support the critical service, such as the SCADA/DCS systems of an energy provider, the process control technology of a water treatment plant, or the fleet management systems of a waste collection service. Core Protection implements all requirements (basic, standard, and elevated) but only for this defined scope. It is particularly useful as a starting strategy when resources are limited and the most critical systems must be secured first. Many utilities begin with Core Protection for their OT environments and then expand to Standard Protection for the broader organization.

IT-Grundschutz and NIS2: Mapping Modules to EU Requirements

With the NIS2 Directive now transposed into German law through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), KRITIS operators face an expanded set of requirements. The good news: if you have implemented IT-Grundschutz to Standard Protection level, you have already covered the vast majority of NIS2 requirements. BSI has explicitly confirmed that IT-Grundschutz provides a solid foundation for NIS2 compliance.

Here is how the IT-Grundschutz modules map to the key NIS2 articles:

• Art. 21(2)(a) Risk analysis and ISMS policies: Covered by ISMS modules (ISMS.1 Security Management) and the risk analysis methodology described in BSI Standard 200-3. Your existing risk management processes built on IT-Grundschutz already satisfy this requirement.
• Art. 21(2)(b) Incident handling: Directly addressed by DER.1 (Detection of Security Events), DER.2.1 (Security Incident Management), and DER.2.3 (Cleanup of Major Security Incidents). NIS2 tightens the reporting timelines, so ensure your DER processes include the 24-hour early warning, 72-hour notification, and one-month final report cycle.
• Art. 21(2)(c) Business continuity and crisis management: Covered by CON.3 (Data Backup), DER.4 (Emergency Management), and the business impact analysis methodology from BSI Standard 200-4 (BCM).
• Art. 21(2)(d) Supply chain security: Addressed by OPS.2.1 (Outsourcing), APP modules for third-party software, and the vendor assessment processes. Strengthening your vendor management with documented security requirements for all ICT service providers is critical under NIS2.
• Art. 21(2)(e) Secure acquisition, development, and maintenance: Covered by CON.8 (Software Development), OPS.1.1.6 (Software Tests and Approvals), and the system hardening requirements across SYS modules.
• Art. 21(2)(f) Effectiveness assessment: Addressed through DER.3.1 (Audits and Revisions), the internal audit cycle in ISMS.1, and the regular effectiveness checks built into the IT-Grundschutz process model.
• Art. 21(2)(g) Cyber hygiene and training: Covered by ORP.3 (Awareness and Training), ORP.2 (Personnel), and the general awareness measures in ISMS modules.
• Art. 21(2)(h) Cryptography: Directly addressed by CON.1 (Crypto Concept) and applied across NET and APP modules for transport and storage encryption.

For a comprehensive view of NIS2 requirements and how they relate to your existing controls, explore the NIS2 requirements catalog in our knowledge base. The key takeaway: IT-Grundschutz and NIS2 are complementary, not competing. IT-Grundschutz is the "how," and NIS2 defines the "what." Together, they form a complete compliance framework for German KRITIS operators.

IT-Grundschutz and ISO 27001: The Dual-Benefit Certificate

One of the most compelling aspects of BSI IT-Grundschutz is its relationship with ISO 27001. The "ISO 27001 Certificate based on IT-Grundschutz" is a unique certification that combines the rigor of IT-Grundschutz with the international recognition of ISO 27001. This gives KRITIS operators a dual benefit: you satisfy German regulatory requirements while simultaneously holding an internationally recognized information security certification.

The certification process works as follows: a BSI-licensed auditor examines your ISMS against both the IT-Grundschutz Compendium requirements and ISO 27001 clauses. If you pass, you receive a single certificate that covers both standards. This is more efficient than pursuing two separate certifications and avoids the duplication of effort that many organizations experience when trying to maintain parallel management systems.

For utilities that operate internationally or supply services to customers outside Germany, this is particularly valuable. While IT-Grundschutz is primarily a German standard, the ISO 27001 component is recognized worldwide. International partners, customers, and regulators understand what an ISO 27001 certificate means, even if they are unfamiliar with IT-Grundschutz specifics.

The key difference between a "native" ISO 27001 certification and the IT-Grundschutz-based variant lies in the risk assessment methodology. Native ISO 27001 allows organizations to define their own risk assessment approach and select controls from Annex A at their discretion. IT-Grundschutz prescribes a defined methodology (BSI Standards 200-2 and 200-3) and a predefined set of controls based on the modeling of your information domain. This prescriptive approach reduces the risk of overlooking threats and provides a more consistent security posture across organizations.

Practical Tips for Utilities: From Assessment to Certification

Implementing IT-Grundschutz in a utility environment comes with specific challenges that differ from a typical office IT environment. Energy providers manage SCADA networks, water works operate remote treatment facilities, and waste management companies coordinate distributed fleets. Here are the practical considerations that will determine your success.

Protection Needs Assessment for Critical Services

The protection needs assessment (Schutzbedarfsfeststellung) is the foundation of your IT-Grundschutz implementation. For KRITIS operators, you must pay special attention to the systems that directly support your critical service. Begin by identifying the critical business processes, then map the IT and OT systems that support them. For an energy provider, this includes the control center, substation automation, smart grid components, and metering infrastructure. For a water utility, this covers process control systems, pump stations, water quality monitoring, and the SCADA communication network. Assign protection needs categories (normal, high, very high) based on the potential impact of a security incident on your critical service delivery. Remember: any system that could affect the availability, integrity, or confidentiality of your critical service likely falls into the "high" or "very high" category.

Modeling OT Systems with IT-Grundschutz

One of the most challenging aspects for utilities is modeling operational technology (OT) systems within the IT-Grundschutz framework. The IND layer modules are your primary resource here, but you will also need to apply modules from other layers. A typical OT environment in a utility includes PLCs (Programmable Logic Controllers), RTUs (Remote Terminal Units), HMI (Human Machine Interface) stations, SCADA servers, and the communication infrastructure connecting these components. Each of these must be modeled using the appropriate IT-Grundschutz modules. PLCs and RTUs map to IND.2.1 (General ICS Component), HMI stations to a combination of SYS and IND modules, and the OT network to NET modules with the specific segmentation requirements from IND.1 (Process Control Technology). Document your OT architecture thoroughly in your IT asset management system, including network diagrams, communication flows, and system dependencies.

Risk Analysis for Residual Risks

After modeling your information domain and implementing the applicable IT-Grundschutz modules, you must perform a risk analysis for any residual risks. BSI Standard 200-3 defines the methodology. For KRITIS operators, pay particular attention to risks arising from the convergence of IT and OT, legacy systems that cannot be patched, remote access to operational facilities, and supply chain dependencies on specialized OT vendors. Each identified risk must be treated: either by implementing additional controls, transferring the risk (e.g., through insurance), accepting it with documented justification, or avoiding it by changing the process. Your risk register should capture these decisions, the responsible parties, and the timeline for implementation.

Policy Framework and Documentation

IT-Grundschutz requires extensive documentation, and KRITIS auditors will scrutinize your policy framework closely. At a minimum, you need a security guideline (Sicherheitsleitlinie), role and responsibility definitions, a risk management policy, incident response procedures, business continuity plans, and specific operational procedures for your critical systems. For utilities, operational procedures must cover both IT and OT environments, including change management processes that account for the different lifecycle and availability requirements of industrial control systems. Document your security measures consistently and ensure that the documentation is accessible to auditors while remaining protected from unauthorized access.

How Kopexa Supports Your IT-Grundschutz Implementation

Implementing IT-Grundschutz across a utility with dozens of OT systems, hundreds of IT assets, and multiple physical locations is a complex undertaking. Kopexa provides the platform infrastructure to manage this complexity efficiently and maintain compliance continuously, not just at audit time.

Framework Builder for IT-Grundschutz Modeling

Kopexa's Framework Builder allows you to import the IT-Grundschutz Compendium and model your specific information domain directly in the platform. Select the modules that apply to your infrastructure, assign them to specific assets or asset groups, and track implementation progress at the control level. The modeling process becomes a collaborative effort between your IT team, OT engineers, and information security officer, with full visibility into which requirements are met, which are in progress, and which still need attention.

Cross-Framework Control Mapping

The real power of Kopexa emerges when you operate under multiple regulatory frameworks simultaneously. Most KRITIS operators must comply with IT-Grundschutz, NIS2, and often additional standards such as ISO 27001 or sector-specific regulations. Kopexa automatically maps controls across these frameworks, showing you where a single implementation satisfies multiple requirements. When you implement the IT-Grundschutz DER.2.1 module for incident management, Kopexa shows you that this also satisfies NIS2 Art. 21(2)(b) and ISO 27001 Annex A.5.24 through A.5.28. This eliminates duplicate work and ensures that your compliance efforts are as efficient as possible.

Evidence Management for Audit Readiness

BSI IT-Grundschutz audits require substantial evidence: documented policies, configuration baselines, test results, training records, risk assessments, and much more. Kopexa centralizes all evidence in one platform, linked directly to the controls they support. When your auditor requests proof that you have implemented OPS.1.1.3 (Patch and Change Management), you can pull up the relevant policy, the patch management reports from the last 12 months, and the change advisory board meeting minutes in seconds. No more searching through file shares, SharePoint sites, and email archives during audit week.

Continuous Compliance Monitoring

Compliance is not a point-in-time achievement. IT-Grundschutz requires continuous monitoring and improvement. Kopexa tracks the status of every control, alerts you when evidence expires or reviews are overdue, and provides dashboards showing your overall compliance posture. For utilities with lean IT teams, this continuous monitoring means you always know where you stand, whether the next audit is twelve months away or twelve days away.

Cross-Framework Synergies: Maximizing Your Investment

One of the most significant advantages of using Kopexa for your IT-Grundschutz implementation is the ability to leverage synergies across multiple compliance frameworks. As a KRITIS operator, you are not dealing with IT-Grundschutz in isolation. The regulatory landscape includes NIS2, the BSI Act, sector-specific requirements, and potentially international standards. Kopexa helps you manage these overlapping requirements as a single, unified compliance program rather than separate, siloed initiatives.

Consider the practical impact: when you document your vendor management process to satisfy IT-Grundschutz OPS.2.1 requirements, that same documentation and those same vendor assessments also satisfy NIS2 Art. 21(2)(d) on supply chain security. When you build your incident response capability following DER modules, you simultaneously prepare for NIS2 incident reporting obligations. Kopexa makes these connections visible and ensures that every hour of compliance work delivers maximum regulatory coverage.

Next Steps

Ready to start or strengthen your IT-Grundschutz implementation? Explore these resources to deepen your understanding and connect the dots between IT-Grundschutz and the broader regulatory landscape for critical infrastructure:

• NIS2 for Critical Infrastructure covering the EU directive, German transposition, and specific obligations for essential entities in the energy, water, and waste sectors
• KRITIS Compliance Guide with details on Section 8a BSIG, audit cycles, and the BSI registration process for critical infrastructure operators
• NIS2 Requirements Catalog providing the complete catalog of NIS2 requirements with mapping to IT-Grundschutz modules and implementation guidance
• Risk Management in Kopexa for building your risk register, conducting protection needs assessments, and tracking risk treatment decisions
• Policy Management for creating, versioning, and distributing the security policies and operational procedures required by IT-Grundschutz
• IT Asset Management to catalog your IT and OT systems, map them to IT-Grundschutz modules, and maintain a current inventory for your information domain
• Vendor Management for assessing and monitoring the security posture of your ICT service providers and OT system suppliers