The ISA99 WG4 was discussing a security methodology called BSI IT grundschutz that was new to me. Hans Daniel provided a very concise and useful summary that he kindly allowed us to post on the blog.

UPDATE: A link to the English version of IT grundshutz courtesy of Stephan Beirer.

For the fast reader

  • The IT grundschutz methodology is not directly applicable to complex integrated (industrial automation) systems.
  • However, its extensive catalogues can be helpful when implementing security measures on those systems.
  • An IT grundschutz like manual is not conducive to standardization.
  • Proposed usage for ISA-SP99 WG4: Decide on what elements to use from the IT grundschutz later when WG4 has its processes and risk analysis worked out.

BSI is not BSI (the British Standards Institution) and successful initiator of the world renowned ISO/IEC 17799 later became the ISO 27000 series. Lately the German Infosec Agency (in German “Bundesamt für Sicherheit in der IT, until then internationally labeled ‘GISA’ for German InfoSec Agency to avoid confusion) calls itself ‘BSI’ even outside of Germany, reviving the old confusion.

The IT grundschutz never made it against the ISO/IEC 17799 and 27000 series. As proof for the respective acceptance, e.g., a hit count for “grundschutz” vs “ISO 27001” results in 101,000 versus 2,380,000 hits on google.

However, it is security insider savvy:

  • to use ISO/IEC 17799 and 27000 series for the processes and determination of controls, and then
  • look up in the Grundschutz (and elsewhere) the applicable technical implementation of the controls

Indeed, the IT grundschutz has value: it is to my knowledge the largest paper collection and probably the single largest structured collection of individual threats and controls on the internet.

However, the technical implementation knowledge proposed by the IT grundschutz is largely derived from other sources, in particular manufacturer product data and experience using it. Being derived, there is a considerable time lag in updating, if updating of the IT grundschutz is systematic at all. Being derived, the IT grundschutz will never be up-to-date.

This brings me to a conclusion xxx and others at ISO/IEC seemed to agree on:
Detail technical controls and their implementation cannot be standardized. They are product and time dependent, and good for inclusion in a Technical Report at best (a TR, using ISO/IEC terminology is good only for a few years).

The IT grundschutz was proposed to ISO/IEC for many years as an opponent to ISO/IEC 17799 and ISO 27001 but never accepted, mainly for above reasons.

Philosophy of the IT grundschutz

The IT grundschutz is well known to me: I worked at the German BSI (German Information Security Agency – GISA) and witnessed its growth from 25 pages to some 3000 pages in 2005.

It is directed towards IT security in an average (government) office setting, “protection requirement which applies to most IT systems”.

Its initial philosophy was (in about 1990): Why do a risk analysis? Just implement all available measures. At the time all these measures were contained in 25 pages.

This philosophy had to be abandoned, of course, and led to the present underlying risk mitigation philosophy which is (simplified):

  • establish all assets; for each of these
  • choose from the a catalogue of threats
  • evaluate the level of required protection
  • choose the measures from a catalogue

The IT grundschutz covers all possible areas in great extent, including security management and extension to certification.

In larger organizations, this is leading to extensive bureaucratic security management which can only be handled by supporting IT applications.

By adopting ISO 27000 the world has decided to standardize processes only. This is in recognition of its particularity: security is a never ending battle.

Security measures cannot be ‘cast in concrete’ – remember Maginot

– Hans Daniel