SECURITYSQUAD
Back to the blog

ISO 27001 based on IT-Grundschutz: the path to certification

2026-05-14 · by SECURITYSQUAD

ISO 27001 based on IT-Grundschutz: the path to certification

A certificate on the wall doesn't make an organisation secure. Still, certification to ISO 27001 based on IT-Grundschutz is a worthwhile goal for many companies and public authorities – not for the seal, but for the journey there. Because that journey forces you to build information security systematically, rather than leaving it to chance.

What makes the BSI variant special

Plain ISO 27001 describes what an information security management system must achieve, but leaves a lot of room on the how. The BSI's IT-Grundschutz fills exactly that gap: it provides concrete building blocks and measures for typical components – from servers and the cloud to the mobile workplace. For customers, certification under this scheme means that an independent, accredited auditor has verifiably examined security, at a clearly defined level.

The path in four stages

The typical process can be roughly divided into four phases:

  1. Positioning: where do you stand, what's missing? A gap analysis shows the distance to the target state.
  2. Build-up: define the scope, assess risks, create measures and documentation.
  3. Live it: the ISMS has to work in daily operations – this is where it's decided whether certification holds up or becomes a façade.
  4. Audit: the independent review, first of the documentation, then on site.

Where projects typically get stuck

In practice, it rarely fails on the technology. More often, there's no time to truly live the ISMS, or the documentation grows into a bureaucratic monster that nobody maintains. Both can be avoided by scoping appropriately from the start and keeping processes lean enough to actually work in operations.

The benefit beyond the seal

Those who follow the path consistently gain more than a certificate: clear responsibilities, documented processes and an improvement cycle that also catches new risks. And not least, the proof builds trust with customers, partners and supervisory authorities.

As certified ISO 27001 lead auditors, we know what matters in the preparation – and where effort can be saved.

Read more: Our certifications · Expertise & Services · Cyber Risk Check