Germany IT-Grundschutz workbook

Germany IT-Grundschutz workbook overview

To help organizations secure IT systems, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created a baseline set of standards for protecting information technology (in German, IT-Grundschutz). These standards consist of:

  • BSI Standard 200-1 defines an an information security management system (ISMS) based on ISO/IEC 27001
  • BSI Standard 200-2 describes how to set up and operate an ISMS according to the IT-Grundschutz methodology
  • BSI Standard 200-3 contains all risk-related tasks
  • The IT-Grundschutz Catalogues describe potential threats and safeguards for typical business environments

Microsoft and IT-Grundschutz workbooks

To help you achieve your IT-Grundschutz certification, Microsoft Germany has published the IT-Grundschutz Compliance workbooks for solutions and workloads deployed on Azure, Dynamics 365, and Office 365. Developed by HiSolutions AG, an independent consulting and auditing firm in Germany, the workbooks are based on IT-Grundschutz Catalogue 2021, which includes modules covering internet and cloud usage, such as OPS.2.2 Cloud Usage, and updates to the IT-Grundschutz Catalogue from 2023.

These workbooks can help you implement the IT-Grundschutz methodology within the scope of your existing or planned ISO/IEC 27001 certification. They describe how to apply the IT-Grundschutz methodology to applications in the cloud and outline how to implement all audit-relevant safeguards from the IT-Grundschutz module OPS.2.2 Cloud Usage. The workbooks also provide information about implementing the BSI Minimum Standard on the Usage of External Cloud Services for German federal authorities.


  • Azure

Services in scope

  • Azure
  • Dynamics 365
  • Office 365

Attestation documents

Frequently asked questions

Can I use the Microsoft IT-Grundschutz Compliance workbooks to help my organization comply with IT-Grundschutz?
Yes. The purpose of the workbooks is to help you use Microsoft cloud services to implement the IT-Grundschutz methodology within the scope of your existing or planned ISO/IEC 27001 certification based on IT-Grundschutz.

What's the difference between the IT-Grundschutz and C5 catalogues?
The IT-Grundschutz supplies the specific methodology to help organizations identify and implement security measures for IT systems, and is one of the elements upon which the Cloud Computing Compliance Criteria Catalogue (C5) standard is built. C5 is an auditing standard from BSI that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. For more information, see Azure C5:2020 documentation.