> ./exec Infosec.sh — ARTICLE
BSI Grundschutz for Mid-Sized Companies: What Is Actually Required
ClaraClara, Documentation Lead
Many mid-sized companies receive the same proposal: a full BSI Grundschutz certification, 80 modules, ISO-27001 alignment. Price: on request. Timeline: 18 months. That is not wrong, but for a company with 80 employees and a two-person IT team, it is simply the wrong document at the wrong time.
This article answers a concrete question: What is legally required under BSI IT-Grundschutz, what is best practice, and what can you defer?
What BSI Grundschutz Is and What It Is Not
The BSI IT-Grundschutz Compendium, Edition 2023, covers 111 modules and is not a law. It is a framework published by Germany's Federal Office for Information Security (BSI) for systematically securing information networks.[1] There are three ways to apply the framework:
- Basic Protection: Entry level, approximately 47 core measures, suitable for organizations without a formal ISMS.
- Standard Protection: Full methodology, all relevant modules, prerequisite for ISO-27001 certification based on IT-Grundschutz.
- Core Protection: Focused on particularly critical assets rather than the entire information network.[2]
None of these three levels is automatically legally binding for mid-sized companies. But that is changing.
Who Must Act Now: NIS2 and BSIG
Since the passage of Germany's NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), a significantly larger group of companies is legally required to implement "appropriate technical and organizational measures." The law does not name a specific framework but mandates the "state of the art" as a binding standard.[3]
In practice, this means: companies classified as "important entities" or "essential entities" under NIS2 must demonstrate that their measures reflect the current state of the art. BSI Grundschutz is recognized as valid evidence for this, because the BSI itself is the authority that would conduct an audit in a dispute.
Covered are companies with 50 or more employees or annual revenue exceeding 10 million euros in defined sectors, including energy, transport, healthcare, digital infrastructure, chemicals, and mechanical engineering. An estimated 29.000 German companies fall under this regulation for the first time.[3]
For operators of critical infrastructure (KRITIS) under Section 8a BSIG, the obligation to implement the state of the art was already established in law earlier. There, BSI Grundschutz has been the de facto standard for years.
Practical implication: If your company operates in one of the NIS2 sectors and has more than 50 employees, you are not required to obtain a BSI Grundschutz certificate. You are, however, required to implement measures that conform to a recognized security framework. The BSI recommends Basic Protection as a proven starting point.[4]
The Three Priority Areas: What Comes First
Regardless of the formal certification path, three areas should be prioritized in any BSI Grundschutz consulting engagement for mid-sized companies.
1. Structural Analysis and Protection Needs Assessment
Without a structural analysis, every subsequent measure is guesswork. The structural analysis captures all relevant business processes, applications, IT systems, networks, and facilities. The protection needs assessment evaluates what the consequences of a failure or compromise would be.
Many mid-sized companies have never documented this step. They know their systems, but not their protection requirements. This is the most common finding in BSI Grundschutz consulting engagements for companies of this size.
Before BSI Grundschutz Consulting (typical starting point):
IT inventory: Excel spreadsheet from last year, 40% outdated
Critical applications: "somehow the ERP and email"
Protection needs analysis: not available
After the First Consulting Phase:
Information network: 12 business processes, 34 applications, 87 IT systems
ERP system protection level: HIGH (availability, confidentiality), NORMAL (integrity)
Email server protection level: NORMAL (all baseline values)
Protection needs assessment: fully documented, last updated: 2026-05-14
This difference is not academic. It is the prerequisite for everything that follows.[4]
2. Implementation of Basic Measures
The BSI's Basic Protection level covers approximately 47 measures across four central module groups:
- ISMS (Security Management): Policy, responsibilities, review processes.
- ORP (Organization and Personnel): Security guidelines, training, onboarding.
- CON (Concepts and Procedures): Data protection, cryptography concept, deletion concept.
- OPS (Operations): Patch management, data backup, logging.
Many of these measures are not technical projects. They are documentation tasks with a technical implementation component. A patch management concept can be drafted in an afternoon. The gap is usually not the technology; it is the absence of a written record of the current state.
3. Incident Management and Recovery Planning
The IT-Grundschutz Compendium includes dedicated modules for business continuity management (DER 4). For companies subject to NIS2, incident management is explicitly listed as a mandatory component.[3] A minimal incident management concept for mid-sized companies includes:
- Recovery time objectives (RTO) for critical systems.
- A data backup concept with regularly tested restoration procedures.
- A communication plan for crisis situations.
Documentation as the Foundation: The Diataxis Principle
In BSI Grundschutz projects, companies rarely fail because of the technology. They fail because of documentation: security measures are implemented but six months later nobody can reconstruct how, why, or with what protection level in mind.
The Diataxis framework (Daniele Procida) distinguishes four documentation types: Tutorials, How-to Guides, Reference, and Explanation.[5] Applied to BSI Grundschutz:
- Reference: The Grundschutz Compendium itself, the risk register, the structural analysis.
- How-to Guides: Step-by-step instructions for recurring tasks such as the annual protection needs update or deploying security patches.
- Explanation: Why is the ERP server rated HIGH? What are the concrete consequences of an outage? Without these explanations, security documents lose their context the moment the person who wrote them leaves the company.
- Tutorials: Onboarding new employees into the ISMS, training materials for security policies.
Any documentation without a working example is documentation that will not be used. For a backup concept, that means: no concept without a documented restore test. For a patch management concept: no concept without a test log from the last rollout.
What You Can Defer
The following elements are not an immediate mandatory requirement for most mid-sized companies:
- Full Standard Protection covering all 111 modules.
- ISO-27001 certification (recommended, but not mandated by NIS2).
- Core Protection (relevant only once critical assets have been clearly identified).
- Formal BSI Grundschutz certification (not a legal requirement for non-KRITIS organizations).
These items are not unnecessary. They are the second step, not the first.
The Pragmatic Starting Point: Six Months, Three Phases
A realistic BSI Grundschutz consulting engagement for a mid-sized company with 50 to 250 employees follows this timeline:
Phase 1 (Months 1 to 2): Structural analysis, protection needs assessment, information network documentation. Output: complete asset inventory with protection levels.
Phase 2 (Months 3 to 4): Modeling under Basic Protection, IT-Grundschutz check, identification of gaps. Output: prioritized list of measures.
Phase 3 (Months 5 to 6): Remediation of critical gaps, incident management concept, training. Output: documented ISMS at Basic Protection level, demonstrably NIS2-compliant.
This is not an ambitious program. It is the minimum that holds up under an audit.
Conclusion
BSI Grundschutz is not a legal requirement in the strict sense for most mid-sized companies. For organizations subject to NIS2, however, it is the clearest path to demonstrating compliance with the "state of the art." A company that has completed the structural analysis, implemented the basic measures, and documented an incident management concept is not certified, but it is in a defensible position.
The most common mistake is not doing too little. The most common mistake is doing it without documentation and then being unable to prove what was done when the first audit arrives.
If you want to know where your company stands today and what the next concrete step is, talk to us about an initial BSI Grundschutz consulting engagement.
Sources
[1] Federal Office for Information Security: IT-Grundschutz Compendium Edition 2023. Bonn, 2023. https://www.bsi.bund.de/grundschutz
[2] Federal Office for Information Security: BSI Standard 200-2, IT-Grundschutz Methodology, Version 1.0. Bonn, 2017. https://www.bsi.bund.de/grundschutz/bsi-standards/bsi-standard-200-2
[3] Federal Ministry of the Interior and Community: NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), Draft. Berlin, 2024. https://www.bmi.bund.de/nis2
[4] Federal Office for Information Security: IT-Grundschutz Methodology, Basic Protection. Bonn, 2021. https://www.bsi.bund.de/grundschutz/vorgehensweise/basis-absicherung
[5] Daniele Procida: Diátaxis, A Systematic Framework for Technical Documentation. 2021. https://diataxis.fr
Clara
Documentation Lead
Technical documentation, API docs, guides, ADRs, i18n.
Need help with Infosec?
Free initial consultation, fixed price after audit.
INIT_CONSULTATION() →