BSI-IT Consulting

Your contacts for BSI basic protection advice


You can rely on established standards developed by the German Federal Office for Information Security (BSI) to secure your company’s IT. This BSI IT baseline protection analyzes the potential for hazards and damage and defines appropriate protection levels and security measures. You can prove your basic IT protection with a certification.

BSI basic protection consulting

Security conception, audit & implementation (KRITIS & public sector)

You can rely on established standards developed by the German Federal Office for Information Security (BSI) to secure your company’s IT. This BSI IT baseline protection analyzes the potential for hazards and damage and defines appropriate protection levels and security measures. You can prove your basic IT protection with a certification.

The German Federal Office for Information Security (BSI) has developed an IT baseline protection catalog for companies, authorities and other stakeholders active in the field of critical data security to enable the gradual establishment and continuous maintenance of a comprehensive information security management system (ISMS).

The primary objective is to safeguard information technology. The first step is to identify and evaluate security risks. An action implementation plan consolidates the required safety measures, after which they are finally implemented. All areas of the company with a high or very high need for IT protection must be checked for compliance with the ISMS on a regular and ad hoc basis. ISO 27001 certification also serves this purpose.

Since 2017, the German government has been revising the law to increase the security of information technology systems. The so-called IT Security Act (IT-SiG) 2.0 focuses in particular on data security in the federal administration, in critical infrastructure companies (KRITIS) and organizations of special public interest (UBI) – these include companies of great economic importance as well as arms manufacturers and producers and processors of hazardous substances.

Companies in these sectors will gradually be obliged to register with the BSI and submit a declaration on their IT security. This includes certifications, safety audits and safety measures.

The IT-SiG 2.0 significantly expands both the obligations for data protection-critical companies and the control powers of the state. The revision, including the lowering of various KRITIS thresholds, led to a significant evaluation of the group of affected operators. The sharp increase in the amount of fines for non-compliance with specifications and requirements to up to EUR 2 million (EUR 20 million for legal entities) is also a reminder to implement cyber security stringently in the company now at the latest.

8 KRITIS sectors for BSI IT baseline protection audits

  • Energy suppliers (electricity, gas, fuels, district heating)

  • Water supply (drinking water, waste water)

  • Food suppliers (manufacturers and handlers, distribution and ordering)

  • Transport and traffic companies

  • Healthcare services (supply, laboratories, production and distribution of medicines and blood/plasma)

  • Disposal company

  • IT and telecommunications companies

  • Finance and insurance


In order to guarantee the prescribed IT baseline protection, the BSI prescribes four standards for the security concept, which are presented in more detail below. The BSI’s IT baseline protection catalog includes a large number of documents for analyzing and modeling security risks and protection requirements. The focus here is on protecting the most important areas of information security: Integrity, confidentiality and availability.

(BSI Standard 200-1)

Management systems for information security

Just like the internationally recognized ISO 27001 standard, BSI Standard 200-1 defines the general requirements for information security management systems (ISMS), such as the methods for initiating, monitoring and controlling these systems.

In addition, this standard also sets out the rules for the general handling of the other three data security standards. BSI Standard 200-1 is based on the terminology of the ISO standards, but is formulated more clearly and structured slightly differently. This means that project managers and executives are also addressees of this standard, whereas the previous versions were explicitly aimed at those responsible for information security.

(BSI Standard 200-2)

IT basic protection

The BSI Standard 200-2 provides a solid basis for setting up an ISMS in the company. This standard also defines methods for reviewing and expanding information security management. As a company, you can choose between different levels of cover:

The standard provides procedures for a comprehensive standard hedge and a reduced basic hedge as well as a core hedge. The latter two are particularly suitable for small and medium-sized companies. This standard is also largely congruent with ISO 27001. The structure of the document is deliberately similar to that of BSI Standard 200-1 in order to facilitate the comparison of content.

(BSI Standard 200-3)

Risk management

The BSI standard entitled “Risk analysis based on IT baseline protection” is a supplementary element for BSI baseline protection. It can be used by authorities or companies that have already implemented IT baseline protection and want to carry out an additional risk analysis. The standard specifies eight steps in which information security risks can be systematically identified, assessed and managed. The effectiveness of the proposed measures can be verified by means of comparative analyses.

Standard 200-3 is a revision of the original Standard 100-3. The updated version is based on a simplified hazard model that combines the former 450 specific hazards into 46 elementary, product- and technology-neutral hazards.

(BSI Standard 200-4)

Business Continuity Management

Standard 100-4 was also revised a few years after the other BSI baseline protection standards. It has been available as a revised community draft since 2022. Standard 200-4 is significantly more comprehensive than its predecessor and, with the title “BCM”, focuses more strongly on general security in companies.

With systematic instructions, it supports the implementation of a business continuity system in order to be able to react quickly in emergencies – especially in time-critical business processes – and minimize downtime. A three-stage model allows for a needs-based introduction.

The specifications are fully compatible with those of the internationally recognized ISO 22301, but also include detailed instructions and tools for practical implementation.

The 4 new BSI baseline protection standards

  • BSI Standard 200-1: General requirements for an ISMS

  • BSI Standard 200-3: Risk management in the implementation of IT baseline protection

  • BSI Standard 200-2: Methodology for IT baseline protection

  • BSI Standard 200-4: Guidance on setting up business continuity management

BSI Standard 200-4: Guidance on setting up business continuity management

Implementation of BSI IT baseline protection

Information security in companies is a process that must be constantly monitored and optimized. The BSI IT baseline protection standards offer a practical guide to establishing your own information security management system, especially for less experienced users in small and medium-sized companies with an independent IT department.

A distinction is made between eight phases or steps. The first step is to define which components and areas in the company are eligible for an ISMS. This is followed by a structural analysis of all security-critical company assets and their dependencies. Once the protection requirements have been determined, the minimum requirements specified by the BSI baseline protection as building blocks are modeled and then compared with the current status in the IT baseline protection check. A risk analysis is necessary for all company values that do not match any of the modules.

An action implementation plan summarizes all the safety measures that will ultimately be implemented in order to achieve the desired safety level. This is divided into 3 levels (basic, core and standard) so that the security concept can be implemented and tested in line with the requirements of your own company.

Cyber Curriculum® as a cyber security expert for your company

BSI IT baseline protection consulting from experts

Trust our many years of experience as security experts in the public sector and in the area of data protection. With our customized IT compliance packages, we offer you exactly the service you need – always tailored to your security requirements and your budget.