Skip to content
QubeLogix

IT-Grundschutz Basic Protection: Germany's Pragmatic Security Entry Point for SMEs

Basic Protection (Basis-Absicherung) is the entry-level track of Germany's BSI IT-Grundschutz methodology under Standard 200-2: a company implements only the mandatory baseline requirements of the applicable security modules, skipping the full protection-needs assessment. Small companies typically reach a solid, defensible level of information security in 2 to 4 months. Optional proof is an IT-Grundschutz Testat valid for two years — explicitly not an ISO 27001 certificate.

By Rudolf Schwartz — Founder & Engineer at QubeLogix · Last updated July 15, 2026

What Basic Protection is

BSI Standard 200-2 — published by Germany's Federal Office for Information Security (BSI) — defines three implementation tracks for building information security: Basic, Core, and Standard Protection. Basic Protection is the deliberately simplified entry point. Instead of modeling your entire information domain and assessing the protection needs of every system, you implement the baseline requirements of the applicable modules from the IT-Grundschutz Compendium — the mandatory (MUST) requirements the BSI has prioritized to deliver the largest security gain for the least effort.

The Compendium contains more than 100 modules across ten layers — from organizational topics (ORP, ISMS) through operations (OPS) to concrete systems (SYS), networks (NET), and applications (APP). For a small company, only a subset applies: which modules are relevant follows from your actual IT — existing servers, clients, cloud services, network, remote work. The BSI publishes its Basic Protection guide as a free download; the methodology itself costs nothing, only the implementation does.

Why not go straight to ISO 27001?

ISO 27001 is risk-based and top-down: you have to analyze and rate your own risks and derive controls from them — which requires methodological expertise that a 10-person company rarely has in-house. IT-Grundschutz works the other way around, bottom-up, with a concrete German catalog of controls: the BSI has already done the risk analysis for typical components and tells you what to do. For SMEs without a dedicated security team, that is the more practical route.

The financial gap is also significant: a native ISO 27001 rollout typically costs an SME around €25,000 to €40,000 in the first year, based on common consulting rates in the German market. Externally guided Basic Protection is quoted at roughly €10,000 to €30,000 depending on the source — the ranges vary, but they are consistently lower. Important: the two worlds are not mutually exclusive. IT-Grundschutz is a recognized methodology for implementing ISO 27001; if you decide to certify later, you build on the work already done instead of starting over.

How it works in practice: sequence and work packages

A clean stepwise path for SMEs looks like this: start with a CyberRisikoCheck under DIN SPEC 27076 (roughly one to two hours of interviews plus evaluation, usually billed as one consulting day) to establish where you stand. Then WiBA — the BSI's "path into Basic Protection," a free set of checklists with audit questions explicitly designed to be usable without any methodology knowledge. After that comes Basic Protection itself, optionally with a Testat (attestation). Companies that need more later move on to Standard Protection.

Basic Protection itself breaks down into manageable work packages: define the scope (which part of the company is covered), inventory your IT, select the applicable modules, check the baseline requirements against the current state, prioritize and close the gaps, and document the result concisely. The labor-intensive protection-needs assessment is largely omitted at this level — which is exactly what makes the entry realistic for small organizations.

QubeLogix supports this path as an implementation partner: Rudolf Schwartz is a certified BSI IT-Grundschutz Practitioner and IT Security Auditor (TÜV) and structures the methodology, moderates the module selection, and helps implement technical measures. The division of roles is clear: QubeLogix enables and guides — attestations and certificates are always issued by an external, BSI-certified auditor or by the BSI itself.

The proof: the IT-Grundschutz Testat — and its limits

If customers or contracting authorities demand proof, Basic Protection has the IT-Grundschutz Testat (introduced in 2019) — an attestation issued exclusively by a BSI-certified IT-Grundschutz auditor. It is valid for two years and cannot be renewed, though a new Testat can be requested at any time. The procedure is compact: document review and audit plan (roughly 1–2 person-days), on-site audit with closing meeting (roughly 1–2 person-days), audit report and Testat (roughly 0.5–1 person-day). According to consultant estimates, total external audit costs run around €2,700 to €7,500 — a market benchmark, not an official price.

The honest assessment: the Testat is not a certificate, and its weight is often overestimated. An ISO 27001 certificate based on IT-Grundschutz requires the Standard Protection track (or Core Protection) — Basic Protection alone does not qualify. If you need to present an ISO 27001 certificate in tenders, you should know that from day one and plan the path accordingly, rather than changing course after two years.

Costs, timeline, and funding

For a small company, plan on roughly 2 to 4 months for Basic Protection — a typical market figure, not a guarantee, and one that depends heavily on company size, the IT landscape, and internal availability. Externally guided implementation for SMEs is commonly quoted at around €10,000 to €30,000 depending on the source; Standard Protection including certification, at roughly €40,000 to €120,000, plays in an entirely different league.

QubeLogix deliberately prices below these market ranges because it operates as a one-person business without overhead: the information security quick check starts at a flat €1,900, guided implementation of ISMS foundations including NIS2 orientation runs €6,000 to €14,000, ongoing support starts at €900 per month, and the consulting day rate is €1,000 to €1,200 (all prices net; no VAT under §19 of the German VAT Act). An external Testat, if desired, comes on top.

On funding: depending on the German federal state, grant programs for IT security consulting in SMEs exist — in North Rhine-Westphalia, for example, the MID – Digitale Sicherheit program. Conditions and program status change constantly, however; check the current state before commissioning, or raise the topic in the initial consultation.

What Basic Protection means for NIS2

Germany's NIS2 implementation act (NIS2UmsuCG) has been in force since December 6, 2025, with no transition period; the three-month registration deadline via the BSI's MUK portal expired on March 6, 2026. Roughly 29,500 companies are now under BSI supervision — up from about 4,500 before. Violations carry fines of up to €10 million or 2% of global revenue. Many SMEs are not directly in scope but face the requirements anyway as suppliers, through security questionnaires from their customers.

To be clear: Basic Protection does not make you NIS2-compliant. NIS2 requires, among other things, your own risk management, incident reporting processes, and demonstrable management accountability — that goes beyond the baseline requirements. But it is the right foundation: a company that has implemented and documented the baseline requirements can answer customer questionnaires substantively and builds NIS2-adjacent structures on ordered ground instead of starting from zero.

When you don't need Basic Protection

Honestly: not every company needs this step right now. If you are one to five people, work exclusively with standard cloud services, and no customer is demanding proof, a CyberRisikoCheck under DIN SPEC 27076 plus implementing its recommendations is often the better first step — faster, cheaper, and without the documentation apparatus. You can also work through the BSI's free WiBA checklists entirely on your own; no one needs a service provider for that.

The reverse also holds: if a major customer explicitly requires an ISO 27001 certificate, Basic Protection is a detour — plan the path via Standard Protection or a native ISO rollout from the start. Basic Protection is the right choice for the middle ground: companies that want to reach a structured, demonstrable baseline without the overhead of certification. It is a starting point, not a finish line — and that is exactly how you should plan for it.

Frequently asked questions

Frequently asked questions
Is there a certificate for Basic Protection?

No certificate — but an attestation. Once Basic Protection is implemented, a BSI-certified IT-Grundschutz auditor can issue an IT-Grundschutz Testat. It is valid for two years and cannot be renewed; after that, a new attestation procedure is required. An ISO 27001 certificate based on IT-Grundschutz, by contrast, requires the Standard Protection track, not Basic Protection.

Is Basic Protection enough for NIS2 compliance?

No. Germany's NIS2 implementation act (in force since December 6, 2025) requires, among other things, dedicated risk management, incident reporting processes, and management accountability — Basic Protection alone does not deliver that. It is, however, a solid technical and organizational foundation on which the NIS2 requirements can be built far faster than on unstructured IT.

What does Basic Protection cost for an SME?

Externally guided Basic Protection for small companies typically runs about €10,000 to €30,000, based on consultant sources in the German market. QubeLogix offers a quick check from €1,900 (flat fee) and guided implementation of ISMS foundations for €6,000 to €14,000; the consulting day rate is €1,000 to €1,200 (net, §19 German VAT Act). An optional external Testat adds roughly €2,700 to €7,500, per consultant estimates.

Can we implement Basic Protection ourselves, without a consultant?

For getting started, yes: the BSI's free WiBA program ("path into Basic Protection") provides checklists with audit questions explicitly designed to be usable without methodology knowledge. The BSI's free Basic Protection guide describes the further process. External support pays off mainly when no one internally has time to structure the work, or when a Testat is needed as formal proof.

How long does implementing Basic Protection take?

For a small company, typically 2 to 4 months — a common market figure from consultant sources, not a guarantee, and heavily dependent on the number of IT systems, existing documentation, and internal availability. The upstream CyberRisikoCheck under DIN SPEC 27076 is much faster: roughly one to two hours of interviews plus evaluation, usually billed as a single consulting day.

What distinguishes Basic, Core, and Standard Protection?

BSI Standard 200-2 defines three tracks: Basic Protection implements only the baseline (MUST) requirements of the applicable modules — a fast entry without a full protection-needs assessment. Core Protection fully secures the most critical processes (the "crown jewels") in a targeted way. Standard Protection models the entire information domain and is the prerequisite for ISO 27001 certification based on IT-Grundschutz.

Which task should disappear from your week first?

Contact

Tell us what you are planning, from a first AI assistant to taking over an existing system. You will get an honest assessment within two business days.