In addition to standards 200-1 and 200-3, BSI standard 200-2 is an elementary component of the BSI’s IT-Grundschutz methodology. It defines methods of setting up, reviewing, and expanding an information security management system (ISMS). Various procedures are available for basic, standard, or core protection. The standard is compatible with ISO 27001 certification. In 2017, 200-2 replaced BSI standard 100-2.
What is BSI Standard 200-2?
BSI Standard 200-2 and Standards 200-1 and 200-3 are elementary components of the IT-Grundschutz methodology of the German Federal Office for Information Security (BSI). The title of the standard is “IT-Grundschutz-Methodik”. It provides basic principles of the methodology for setting up an information security management system (ISMS – Information Security Management System).
The content includes various procedures for implementing IT-Grundschutz in an institution such as a company or a public authority. The 200-1 and 200-2 standards have a similar structure and allow content to be quickly matched.
Basic IT protection can be implemented via basic protection, standard protection, and core protection. Basic or core protection is particularly suitable for small and medium-sized enterprises (SMEs). The BSI Standard 200-2 can be used not only to set up an ISMS but also to review or extend it.
The standard addresses information security managers, security consultants, security experts, security officers, executives, and project managers. As part of a modernization of the BSI’s basic IT protection methodology, Standard 200-2 replaced the older Standard 100-2.
Objectives and content of BSI Standard 200-2
A central objective of IT-Grundschutz is to reduce the effort required to set up and operate an information security management system. All areas of an institution are considered and appropriate methods are provided to achieve a certain level of IT security. For normal protection needs, the so-called standard safeguarding is sufficient.
The security level of a basic hedge is below that of the standard hedge, but provides a good basis for starting information security management. Particularly critical business processes or information worthy of protection achieve the required high level of security with core assurance. The methodology of BSI Standard 200-2 can be adapted to the various requirements and circumstances of institutions of different sizes. Contents of the standard include:
- Necessary steps for the introduction of an isms
- Creation of a security concept
- Initiation of an information security process
- Establishment of suitable organizational structures
- Creation of the necessary documentation
- Procedures for basic, standard, and core protection
- It baseline protection check
- Implementation of security measures
- Necessary steps and conditions for certification
Brief review of 100-2
The basic IT protection system of the German Federal Office for Information Security was introduced as early as 1994. As part of a modernization process, the three BSI standards 100-1, 100-2, and 100-3, which date back to 2008, were revised. The successor standards were given 200 numbers and appeared in 2017.
In contrast to the old standard 100-2, the successor standard 200-2 allows the choice of three different approaches (basic security, core security, standard security). The term basic security check used in the old standard has been replaced by IT-Grundschutz check. Other adjustments include:
- Consideration of virtualization, internet of things (io t), and cloud computing
- Expanded layer model
- New building blocks
Information Security Asia is the go-to website for the latest cybersecurity and tech news in various sectors. Our expert writers provide insights and analysis that you can trust, so you can stay ahead of the curve and protect your business. Whether you are a small business, an enterprise or even a government agency, we have the latest updates and advice for all aspects of cybersecurity.