IT-Grundschutz Basic Protection: Germany's Pragmatic Security Entry Point for SMEs
Basic Protection (Basis-Absicherung) is the entry-level track of Germany's BSI IT-Grundschutz methodology under Standard 200-2: a company implements only the mandatory baseline requirements of the applicable security modules, skipping the full protection-needs assessment. Small companies typically reach a solid, defensible level of information security in 2 to 4 months. Optional proof is an IT-Grundschutz Testat valid for two years — explicitly not an ISO 27001 certificate.
By Rudolf Schwartz — Founder & Engineer at QubeLogix · Last updated July 15, 2026
What Basic Protection is
BSI Standard 200-2 — published by Germany's Federal Office for Information Security (BSI) — defines three implementation tracks for building information security: Basic, Core, and Standard Protection. Basic Protection is the deliberately simplified entry point. Instead of modeling your entire information domain and assessing the protection needs of every system, you implement the baseline requirements of the applicable modules from the IT-Grundschutz Compendium — the mandatory (MUST) requirements the BSI has prioritized to deliver the largest security gain for the least effort.
The Compendium contains more than 100 modules across ten layers — from organizational topics (ORP, ISMS) through operations (OPS) to concrete systems (SYS), networks (NET), and applications (APP). For a small company, only a subset applies: which modules are relevant follows from your actual IT — existing servers, clients, cloud services, network, remote work. The BSI publishes its Basic Protection guide as a free download; the methodology itself costs nothing, only the implementation does.
Why not go straight to ISO 27001?
ISO 27001 is risk-based and top-down: you have to analyze and rate your own risks and derive controls from them — which requires methodological expertise that a 10-person company rarely has in-house. IT-Grundschutz works the other way around, bottom-up, with a concrete German catalog of controls: the BSI has already done the risk analysis for typical components and tells you what to do. For SMEs without a dedicated security team, that is the more practical route.
The financial gap is also significant: a native ISO 27001 rollout typically costs an SME around €25,000 to €40,000 in the first year, based on common consulting rates in the German market. Externally guided Basic Protection is quoted at roughly €10,000 to €30,000 depending on the source — the ranges vary, but they are consistently lower. Important: the two worlds are not mutually exclusive. IT-Grundschutz is a recognized methodology for implementing ISO 27001; if you decide to certify later, you build on the work already done instead of starting over.
How it works in practice: sequence and work packages
A clean stepwise path for SMEs looks like this: start with a CyberRisikoCheck under DIN SPEC 27076 (roughly one to two hours of interviews plus evaluation, usually billed as one consulting day) to establish where you stand. Then WiBA — the BSI's "path into Basic Protection," a free set of checklists with audit questions explicitly designed to be usable without any methodology knowledge. After that comes Basic Protection itself, optionally with a Testat (attestation). Companies that need more later move on to Standard Protection.
Basic Protection itself breaks down into manageable work packages: define the scope (which part of the company is covered), inventory your IT, select the applicable modules, check the baseline requirements against the current state, prioritize and close the gaps, and document the result concisely. The labor-intensive protection-needs assessment is largely omitted at this level — which is exactly what makes the entry realistic for small organizations.
QubeLogix supports this path as an implementation partner: Rudolf Schwartz is a certified BSI IT-Grundschutz Practitioner and IT Security Auditor (TÜV) and structures the methodology, moderates the module selection, and helps implement technical measures. The division of roles is clear: QubeLogix enables and guides — attestations and certificates are always issued by an external, BSI-certified auditor or by the BSI itself.
The proof: the IT-Grundschutz Testat — and its limits
If customers or contracting authorities demand proof, Basic Protection has the IT-Grundschutz Testat (introduced in 2019) — an attestation issued exclusively by a BSI-certified IT-Grundschutz auditor. It is valid for two years and cannot be renewed, though a new Testat can be requested at any time. The procedure is compact: document review and audit plan (roughly 1–2 person-days), on-site audit with closing meeting (roughly 1–2 person-days), audit report and Testat (roughly 0.5–1 person-day). According to consultant estimates, total external audit costs run around €2,700 to €7,500 — a market benchmark, not an official price.
The honest assessment: the Testat is not a certificate, and its weight is often overestimated. An ISO 27001 certificate based on IT-Grundschutz requires the Standard Protection track (or Core Protection) — Basic Protection alone does not qualify. If you need to present an ISO 27001 certificate in tenders, you should know that from day one and plan the path accordingly, rather than changing course after two years.
Costs, timeline, and funding
For a small company, plan on roughly 2 to 4 months for Basic Protection — a typical market figure, not a guarantee, and one that depends heavily on company size, the IT landscape, and internal availability. Externally guided implementation for SMEs is commonly quoted at around €10,000 to €30,000 depending on the source; Standard Protection including certification, at roughly €40,000 to €120,000, plays in an entirely different league.
QubeLogix deliberately prices below these market ranges because it operates as a one-person business without overhead: the information security quick check starts at a flat €1,900, guided implementation of ISMS foundations including NIS2 orientation runs €6,000 to €14,000, ongoing support starts at €900 per month, and the consulting day rate is €1,000 to €1,200 (all prices net; no VAT under §19 of the German VAT Act). An external Testat, if desired, comes on top.
On funding: depending on the German federal state, grant programs for IT security consulting in SMEs exist — in North Rhine-Westphalia, for example, the MID – Digitale Sicherheit program. Conditions and program status change constantly, however; check the current state before commissioning, or raise the topic in the initial consultation.
What Basic Protection means for NIS2
Germany's NIS2 implementation act (NIS2UmsuCG) has been in force since December 6, 2025, with no transition period; the three-month registration deadline via the BSI's MUK portal expired on March 6, 2026. Roughly 29,500 companies are now under BSI supervision — up from about 4,500 before. Violations carry fines of up to €10 million or 2% of global revenue. Many SMEs are not directly in scope but face the requirements anyway as suppliers, through security questionnaires from their customers.
To be clear: Basic Protection does not make you NIS2-compliant. NIS2 requires, among other things, your own risk management, incident reporting processes, and demonstrable management accountability — that goes beyond the baseline requirements. But it is the right foundation: a company that has implemented and documented the baseline requirements can answer customer questionnaires substantively and builds NIS2-adjacent structures on ordered ground instead of starting from zero.
When you don't need Basic Protection
Honestly: not every company needs this step right now. If you are one to five people, work exclusively with standard cloud services, and no customer is demanding proof, a CyberRisikoCheck under DIN SPEC 27076 plus implementing its recommendations is often the better first step — faster, cheaper, and without the documentation apparatus. You can also work through the BSI's free WiBA checklists entirely on your own; no one needs a service provider for that.
The reverse also holds: if a major customer explicitly requires an ISO 27001 certificate, Basic Protection is a detour — plan the path via Standard Protection or a native ISO rollout from the start. Basic Protection is the right choice for the middle ground: companies that want to reach a structured, demonstrable baseline without the overhead of certification. It is a starting point, not a finish line — and that is exactly how you should plan for it.