2.7 IT Baseline Protection Certificate

As a result of having received frequent queries as to whether a certificate can be issued for a set of IT assets in which IT baseline protection standards security safeguards have been implemented, the BSI has decided to take positive action. The motivation behind interest in an IT baseline protection certificates is diverse:

As the IT Baseline Protection Manual with its recommendations as to standard security safeguards has come to assume the role of an IT security standard, it is fitting that it should be used as a generally recognised set of criteria for IT security.

In future it will be possible for an institution to obtain the IT Baseline Protection Certificate for a selected set of IT assets when an independent, accredited body can demonstrate from a basic security check that the required IT baseline protection standards security safeguards have been implemented. The procedure to be followed is that outlined in Sections 2.1 to 2.4. Since an IT baseline protection security concept is produced as a by-product of the basic security check, it is possible to reuse the documents generated in the certification process.

Naturally no guarantee can be given that the results of the basic security check will allow a certificate to be granted. For such cases BSI is considering granting the institution the opportunity to announce publicly its efforts in the IT security process aimed at obtaining an IT Baseline Protection Certificate. It is envisaged that an institution will be able to issue a self-generated declaration that it has achieved a certain entry level (a still to be defined minimum level) or an additional, higher level (still less than IT baseline protection level) and hopes to obtain the IT Baseline Protection Certificate after the missing safeguards have been implemented.

Further information regarding the discussion status of the "IT Baseline Protection Certificate" may be obtained from the BSI server at http://www.bsi.bund.de/gshb.


© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update: October 2000