The BSI recently presented Grundschutz++ at an event I attended, providing exciting insights into the planned changes. What became clear: the traditional “IT” Grundschutz belongs to the past – going forward, it will simply be called Grundschutz, because security extends far beyond IT alone.
Key Innovations at a Glance:
Significantly reduced requirements – around 85% fewer, achieved through consolidation and clear “must/should/may” classifications.
Clear mapping – requirements are categorized into practices such as ISMS, technical, and organizational areas: approx. 450 technical, 380 organizational, and 100 ISMS requirements.
Target object instead of building blocks – requirements will directly address information, systems, network elements, applications, locations, procurement, or users. The old building blocks – and with them the traditional modeling – will no longer exist.
Revised methodology – Grundschutz++ will be conceptually further developed and made more practical.
Open & digital – instead of the traditional IT compendium, there will be a GitHub repository of requirements, including machine-readable formats (e.g., JSON).
Roadmap:
01.10.2025: First release of the repository reflecting the state of the art.
End of 2025 / early 2026: Consolidation including methodology; certifications according to GS++ possible.
End of 2028 / early 2029: End of the transition period from the old methodology to Grundschutz++.
My impression: With Grundschutz++, things will become simpler, clearer, and more digital.
What’s your take – is this a major step into the future, or just a new name for old problems?
Frequently asked questions
In the long term, IT-Grundschutz++ will replace the current IT-Grundschutz. However, there will be an extended transition period during which both will remain valid in parallel.
As before, trainings will be offered by external providers. A concrete timeline for new formats and certifications has not yet been defined.
No, a new Grundschutz tool from the BSI, as once existed in the past, is not planned.
The official repository will be published on 01.10.2025.
The BSI is currently evaluating different options. No binding decision has been made yet.
Part 1: Requirements and measures – first release on 01.10.2025.
Part 2: Methodology (BSI standard) – first version by 01.01.2026, pilot phase until February 2026, followed by iterative updates.
Final version: End of 2026.
Certification according to the new methodology: Starting 2027.
The IT-Grundschutz Compendium 2023 remains valid until 2027 and available until 2029. The transition period runs until 2029 – accompanied by major changes in approach and methodology.
The GS++ methodology will be presented as an alpha version at the it-sa trade fair. Further detailed guidelines from the BSI will follow.
Yes, compatibility with ISO 27001 will remain. Grundschutz++ will not decouple from it.
Modeling will always refer to a specific version in the repository, as requirements and measures will be continuously updated.
No. Participation requires no specific qualifications. Active contribution is sufficient, and registration is handled through the editors.
No, Business Continuity Management (BCM) is not included in the GS++ certification scope. Since BCM is an independent management system, it will not be part of ISMS certification under Grundschutz++.