Comparison of ISO/IEC 27001 (native) and ISO 27001 based on IT baseline protection
Companies are expected to have respectively planned, documented and functioning processes, which allow information security to be established, controlled and continually improved. If the conditions are met and confirmed after the inspection by an auditor vis-à-vis the certification authority, an official certificate can be issued. These certificates are generally valid for three years before they must be renewed. During the period of validity, annual monitoring audits occur.
Different ways to the IT security standard
The ISO 27001 is focused on the information security process itself. The relevant regulations are rather short, comprising not even 100 pages of text. It is crucial to find and implement suitable procedures and measures in order to reduce the identified and analysed risks to an acceptable level. The standard specifies 133 measures, which however are kept quite general. Thus, the approach provides greater leeway in achieving a protection level adequate for one’s own actual needs. However, what is required is working out in detail the highly abstract provisions of the standard and filling them with adequate content. The comprehensive analysis of the risks and dealing with them is crucial. The effort and resources required for this are considerable.
BSI baseline protection
Of course, ISO 27001 based on BSI baseline protection [IT-Grundschutz], licensed by the German Federal Office for Information Security [Bundesamt für Sicherheit in der Informationstechnik – BSI] also considers information security processes, however, in the baseline protection catalogue [Grundschutzkatalog] that is multiple thousands of pages long, typical dangers are already evaluated and multiple concrete measures have been recommended in order to adequately counteract them, as long as ‘normal’ protection need is not exceeded. A separate analysis of dangers and risks and the consideration of additional or other protective measures will be expected solely in areas where a greater protection need exists.
There is savings potential in the specification of previously defined measures, yet the obligation of an extensive risk analysis and the development of one’s own measures is omitted. Errors in the implementation are avoided via the schematization of the approach. However, objective comparability of the actual level of security achieved is attained.
Overview of differences: ISO 27001 vs. BSI baseline protection
- ISO/IEC 27001
- Relevant standards < 100 pages[/av_cell][av_cell col_style='']Baseline protection catalogue > 4,000 pages
- Generic approach
- Abstract general conditions
- Complete risk analysis
- ISO 27001 based on IT baseline protection
- Measure-oriented approach
- Concrete standards
- Risk analysis only with elevated protection need