‘opus i BSI - IT-Grundschutz’ supports you in creating and maintaining an Information Security Management System (ISMS) based on the BSI Standards 100-1 to 100-3.
Optimize your IT Security Management activities
The BSI - IT-Grundschutz is a fully prepared ISMS. You only have to know the assets you want to protect!
If you use opus i to manage the requirements of the BSI - IT-Grundschutz, opus i AUTOMATICALLY provides all acting threats, the necessary safeguards and even the risk treatment plan.
IT Security law?
Are you here because of the IT Security law and want to use the BSI-Grundschutz (ISO-27001)?
With opus i you can edit the requirements of the law supported and for a fantastic price. Let´s look at it together: Online-Presentation
opus i fully covers the demands of the “IT-Grundschutz” from the German BSI-Standard 100-1, 100-2 and 100-3. At this point we want show you how easy creating an ISMS according to “IT-Grundschutz” is.
Many administrators, IT security officials, heads of IT or Data Protection Officials believe that the creation of an IT security concept is complicated and vast IT security knowledge is needed. That is not the case because IT-Grundschutz is based on using modules that is the base for the automatic creation of the concept. You only need to use the correct modules and we are certain you can do that - opus i helps you. Let us begin:
Entering the team members (employees, perhaps also external persons)
An Information Security Management System only work if it is created, maintained and lived within a team. The team members have certain knowledge and are used as safeguard initiators (give work order for implementation) and safeguard implementor (safeguard editor). In the first step we would enter the members of the ISMS team in the master data folder (resource folder, asset folder) for example with their communication data (phone, fax, e-mail address, ...)
Assigning the roles
There are more than 1300 safeguards in IT-Grundschutz that should help to reduce the probabilities of occurence of threats (a threat consists of a risk an existing vulnerability). Fortunately the Bundesamt für Sicherheit in der Informationstechnik (BSI) determined for every safeguard who should initiate and implement it. The BSI divides the responsibilities in about 80 "roles": administrator, Data Protection Official, etc.
All roles are now assigned to the team members in a dialog window of opus i. Team members often have several roles. opus i shows you which roles are not yet assigned.
Entering the assets
We want to protect our assets from damage (data theft, unauthorized data access, loss of the help desk team, etc.) with the ISMS. For these assets to be completely protected all objects (in IT-Grundschutz we talk of target objects) have to be known and entered in opus i. Please do not wonder, but buildings, rooms, external service contractors or multi-function devices are also considered assets because they are needed for the task "Applying for EU capital". Now you enter all objects involved in the scope. But we do not enter 200 PCs but group them to keep the maintaining effort low. The same is valid for all other object types, e.g. servers or virtual servers. Grouping can be done according to several criteria: installed operating systems, computer configuration, different protection requirements, usage in processes, etc. That is not complicated. Targets objects that alwaays need to be entered are: buildings, rooms, the network, network elements like switches and routers, servers, virtual servers, computers and finally what is to be protected, the application systems and their data. In opus i we enter these objects via right-clicking the mouse and the corresponding entering dialog into the provided "master data folders" for buildings, rooms, computers etc.
Assigning the protection requirement
In IT-Grundschutz we have to determine and document the protection requirement for confidentiality, integrity and availability (CIA) for the applications and their data. For the other objects we do NOT need to do this. We only have to determine for the "network" if it has outside connection (usually YES). In the next step we model, we assign the modules of the IT-Grundschutz to the entered objects (the buildings, rooms, computers, etc.).
Modelling the objects
You don´t need to know which modules are assigned where - opus i knows that. You open the editing dialog of every object and select the correct object properties in the properties list. opus i assigns the modules based on these properties. Examples: a computer may have the properties "Server under Windows 2008 + Virtualization"; an application often has the property "Database application".
Now there is only one step left to "complete your ISMS" - we connect the objects entered in the master data folder - we create the IT domain.
Creating the IT domain
We build the IT domain by adding the objects from the master data folder. The different objects are referenced in the IT domain in a realistic way, as shown in the image. By crating the IT domain we also determine the interdependencies of the objects at the same time. The image shows for example that the application "A01 Application Server monitoring" is connected to a computer in the IT department and to a server in the data center. By using the IT domain we can transfer the protection requirement of the applications to all involved objects. This is done via mouse-click to a popup menu that can be opened via the top-level IT domain object.
With these six steps:
Entering the team members, assigning the roles, entering the assets, assigning the protection requirement, modelling the objects and creating the IT domain you created your IT security concept (your ISMS). This IT security concept is no document but consists of the sum of all risks acting against the IT domain and the safeguards listed in the IT domain. Our task is now to open every IT domain object (double-click) and editing the safeguards listed in the object. A safeguard may be "Closed windows and doors". What is demanded in the safeguard is listed in the safeguard description you can open via double-click on the safeguard title.
First look at every IT security safeguard in the IT domain and check if the safeguard is already implemented. Mark them as implemented. The German BSI considers this documentation of the current state as Base Security Check.
For the remaining safeguards you decide which safeguard are to be implemented and in which order.
Getting the certificate according to IT-Grunschutz based on the ISO 27001
If you want to be certified additional steps are necessary. We are going to upload small clips to YouTube to explain these steps. Thanks for your interest.
You can reach us
via email to