Germany IT-Grundschutz workbook

Germany IT-Grundschutz workbook overview

To help organizations secure IT systems, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created a baseline set of standards for protecting information technology (in German, IT-Grundschutz). These standards consist of:

  • BSI Standard 200-1 defines an an information security management system (ISMS) based on ISO/IEC 27001
  • BSI Standard 200-2 describes how to set up and operate an ISMS according to the IT-Grundschutz methodology
  • BSI Standard 200-3 contains all risk-related tasks
  • The IT-Grundschutz Catalogues describe potential threats and safeguards for typical business environments

Azure and IT-Grundschutz workbook

To help you achieve your IT-Grundschutz certification, Microsoft Germany has published the IT-Grundschutz Compliance workbook for solutions and workloads deployed on Azure. Developed by HiSolutions AG, an independent consulting and auditing firm in Germany, the workbook is based on IT-Grundschutz Catalogues v.15, which includes modules covering internet and cloud usage, such as M 1.17 Cloud Usage.

This workbook can help you implement the IT-Grundschutz methodology within the scope of your existing or planned ISO/IEC 27001 certification. It describes how to apply the IT-Grundschutz methodology to applications in the cloud and outlines how to implement all audit-relevant safeguards from the IT-Grundschutz module, M 1.17 Cloud Usage.


  • Azure

Attestation documents

  • IT-Grundschutz Compliance workbook (German)

Frequently asked questions

Can I use the Microsoft IT-Grundschutz Compliance workbook to help my organization comply with IT-Grundschutz?
Yes. The purpose of the workbook is to help you use Azure services to implement the IT-Grundschutz methodology within the scope of your existing or planned ISO/IEC 27001 certification based on IT-Grundschutz.

What's the difference between the IT-Grundschutz and C5 catalogues?
The IT-Grundschutz supplies the specific methodology to help organizations identify and implement security measures for IT systems, and is one of the elements upon which the Cloud Computing Compliance Criteria Catalogue (C5) standard is built. C5 is an auditing standard from BSI that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. For more information, see Azure C5:2020 documentation.