The IT-Grundschutz methodology is a procedure for IT security management that can be adapted to the situation of a specific institution. It is described in BSI Standard 100-1 MSIS. This document describes the steps required by the IT-Grundschutz methodology. It represents a standard for establishing and maintaining the appropriate level of IT security in an institution. The method, which was introduced by BSI in 1994, has been developed to provide a methodology for setting up an information security management system for establishing a comprehensive basis for assessing risk, monitoring the existing IT security level, and implementing appropriate IT security.
One of the most important objectives of IT-Grundschutz is to reduce the expense of the IT security process by providing established procedures to improve information security. The methodology describes an efficient management system for information security and how the ITGrundschutz catalogues can be used for this task. Each of the documents focuses on a differing area:
- The BSI Standard 100-1 MSIS describes the general methods for the initiation and management of information security in an institution.
- The BSI Standard 100-2 provides a summary of the important steps in introducing an ISMS and the approach to producing an IT security concept. T
- he BSI Standard 100-3 describes how the fundamental phase in initiating the IT security process could look, and which organizational structures are appropriate for it. In addition, a systematic path is shown for setting up functional IT security management and for developing it further in ongoing operations.
- The BSI Standard 100-4 describes the IT-Grundschutz methodology for producing an IT security concept. This first lists how the basic information on IT assets can be collected and simplified by forming groups.
The IT-Grundschutz catalogues describe how to produce and monitor IT security concepts on the basis of standard security measures. Modules of standard security measures are available for common IT processes, applications, and components. The modules are classified into five layers according to their focus:
- Layer 1 covers all the generic IT security issues.
- Layer 2 covers all the physical, technical issues.
- Layer 3 relates to individual IT systems.
- Layer 4 concerns the issues relating to networking IT systems.
- Layer 5 handles the actual IT applications