The number of cyber attacks is increasing rapidly, while regulations such as NIS-2, KRITIS requirements and public sector requirements are putting increasing pressure on companies and public authorities. The IT baseline protection provided by the German Federal Office for Information Security (BSI) offers an established, clearly structured framework for making information security transparent, comprehensible and effective. In practice, however, many organisations fail to implement it.

Why structured IT baseline protection is indispensable today

This is due, among other things, to sprawling system landscapes, limited resources, missing roles, or unclear responsibilities. This is where KPMG comes in.

We provide comprehensive support, from the initial workshop to modelling and auditing, and anchor information security permanently and pragmatically in your organisation. With our combination of methodological expertise, many years of project experience and modern IT baseline protection tools, we support the introduction of structured information security – efficiently and comprehensibly.

Ready to talk? Contact us

Overview of our services

Development and implementation of an ISMS in accordance with BSI Standard 200-1
Security concept and modelling according to BSI Standard 200-2
Risk analysis in accordance with BSI Standard 200-3
Preparation and support in the IT baseline protection process
ISO 27001 auditing based on IT baseline protection by BSI-certified auditors
Continuous development, including preparation for basic protection++
Tool support and automation of the IT baseline protection methodology

Our services in detail

Establishing an ISMS – BSI Standard 200-1
Security concept – BSI Standard 200-2
Risk analysis – BSI Standard 200-3
Information security: maintaining and improving it as a continuous process

The BSI Standard 200-1 forms the foundation for an effective information security management system. We support you in its structured development and sustainable implementation:

Kick-off workshops and role models
Definition of governance, guidelines and responsibilities
Integration of the PDCA cycle into your organisation
Provision of best practice templates and tool templates
Support in selecting and deploying suitable ISMS/IT baseline protection tools

Our approach combines regulatory requirements with pragmatic implementation steps – for a living, audit-proof ISMS.

IT baseline protection follows a structured process model that clearly defines all security-related steps. We guide you methodically through this process – from analysis and protection requirements assessment to implementation and effectiveness testing. ‘One of the goals of the standard IT baseline protection is to offer a pragmatic and effective approach to achieving a solid level of security that can also serve as a basis for a higher level of security.’

_{Source: BSI Standard 200-2, Chapter 8}

Risk analysis according to BSI Standard 200-3 consists of several closely interlinked components that enable effective risk management. We support you in systematically identifying threats, thoroughly assessing risks and establishing appropriate treatment strategies – embedded in a sustainable, organisation-wide risk management system.

The PDCA cycle illustrates the continuous sequence of planning, implementation, review and improvement. Together with you, we permanently embed this cycle in your ISMS – in a structured, traceable and audit-proof manner. ISO 27001 certification based on IT baseline protection – auditing ISO 27001 certification based on IT baseline protection is widely used and particularly recognised in Germany. KPMG has BSI-certified auditors who conduct audits objectively, independently and to a high professional standard.

ISO 27001 certification based on IT baseline protection – auditing

ISO 27001 certification based on IT-Grundschutz is widely used and particularly recognised in Germany. KPMG has BSI-certified auditors who conduct audits objectively, independently and to a high professional standard.

Why audit with KPMG?

Auditors recognised by the BSI
Deep understanding of complex information networks
Extensive experience in management systems, compliance and regulation
Strict separation of consulting and auditing in accordance with BSI requirements

Our types of audits

Pre-audit

Assessment of readiness for certification
Initial certification audit

Document review and on-site audit
Monitoring audit

Annual review of ISMS effectiveness
Recertification audit

Full review after three years

Our audit teams document all results in a comprehensible, confidential and complete manner in accordance with BSI requirements. Basic Protection++ – Future-proofing your ISMS From 2026, ‘Basic Protection++’ will replace the existing compendium.

Basic protection++ – Future-proofing your ISMS

From 2026, ‘Basic Protection++’ will replace the existing compendium. The new approach will focus more strongly on:

process-oriented modelling
digital, dynamic set of rules
automated checks and intelligent checklists
better integration with minimum standards and state of the art

KPMG prepares your organisation specifically for this – from readiness analyses to migration strategies.

Why KPMG?

Many years of experience in administration, KRITIS, defence and industry
BSI-certified auditors and experienced IT baseline protection consultants
In-depth tool expertise and integration of modern automation systems
Practical implementation instead of purely theoretical methodology
Combined expertise in cyber security, risk management, compliance and technology

KPMG supports you in implementing BSI IT-Grundschutz in a structured, efficient and audit-proof manner – from ISMS setup to successful ISO 27001 certification. Our experts provide comprehensive support on your journey towards optimised transparency, security and future viability for your information security organisation.

More KPMG insights

Cyber Security

KPMG develops security models for the complete IT lifecycle including analysis, planning, design, implementation and monitoring.

Learn more

Your contact

Wilhelm Dolle

Partner, Consulting

KPMG AG Wirtschaftsprüfungsgesellschaft

mail
call

BSI IT baseline protection: Efficient implementation in the company

Why structured IT baseline protection is indispensable today

Overview of our services

Development and implementation of an ISMS in accordance with BSI Standard 200-1

Security concept and modelling according to BSI Standard 200-2

Risk analysis in accordance with BSI Standard 200-3

Preparation and support in the IT baseline protection process

ISO 27001 auditing based on IT baseline protection by BSI-certified auditors

Continuous development, including preparation for basic protection++

Tool support and automation of the IT baseline protection methodology

Our services in detail

ISO 27001 certification based on IT baseline protection – auditing

Why audit with KPMG?

Auditors recognised by the BSI

Deep understanding of complex information networks

Extensive experience in management systems, compliance and regulation

Strict separation of consulting and auditing in accordance with BSI requirements

Our types of audits

Pre-audit

Initial certification audit

Monitoring audit

Recertification audit

Basic protection++ – Future-proofing your ISMS

process-oriented modelling

digital, dynamic set of rules

automated checks and intelligent checklists

better integration with minimum standards and state of the art

Why KPMG?

Many years of experience in administration, KRITIS, defence and industry

BSI-certified auditors and experienced IT baseline protection consultants

In-depth tool expertise and integration of modern automation systems

Practical implementation instead of purely theoretical methodology

Combined expertise in cyber security, risk management, compliance and technology

More KPMG insights

Cyber Security

Your contact

Wilhelm Dolle

Contact

Media

Company