German BSI IT-Grundschutz-Kompendium Compliance
The BSI IT-Grundschutz-Kompendium is Germany's baseline standard for information security.
Learn how ImmuniWeb helps your organization meet its web and mobile application security requirements.
BSI IT-Grundschutz-Kompendium Compliance
The IT-Grundschutz-Kompendium is the central methodology and control catalogue published by Germany's Federal Office for Information Security (BSI). It defines a structured, baseline approach to information security and serves as the foundation for ISO/IEC 27001 certification on the basis of IT-Grundschutz. The full official catalogue is available on the BSI website (bsi.bund.de).
What Is the BSI IT-Grundschutz-Kompendium?
The BSI (Bundesamt für Sicherheit in der Informationstechnik) is Germany's national cybersecurity authority. Its IT-Grundschutz-Kompendium organizes security requirements into modular building blocks (Bausteine), grouped across process-oriented and system-oriented layers that cover organization and personnel, applications, IT systems, networks and industrial control systems.
Each module contains specific requirements categorized as Basic, Standard and High protection. Together with the BSI Standards 200-1, 200-2 and 200-3, the Kompendium gives organizations a repeatable, auditable way to establish an adequate level of security and to pursue ISO 27001 certification on the basis of IT-Grundschutz. This page references the current Edition 2025 of the Kompendium.
Who Must Comply with IT-Grundschutz?
IT-Grundschutz is mandatory for German federal authorities and is widely adopted across the public sector, by operators of critical infrastructure (KRITIS) and by their suppliers and contractors. Private-sector organizations also use it as a practical roadmap to ISO 27001 and to demonstrate a robust security posture when operating in Germany and the wider DACH region.
Key IT-Grundschutz Requirements for Application Security
While the Kompendium covers the full breadth of information security, the modules most relevant to application security — and to ImmuniWeb — are:
- CON.8 — Software Development (Software-Entwicklung): secure development and security testing of software across its lifecycle.
- CON.10 — Development of Web Applications (Entwicklung von Webanwendungen): secure design and coding of web applications, including input validation, output encoding, authentication and session protection.
- APP.3.1 — Web Applications and Web Services (Webanwendungen und Webservices): protecting deployed web applications and services against common attacks (OWASP), with proper access control and logging.
- APP.1.4 — Mobile Applications (Mobile Anwendungen / Apps): securing mobile apps, including permission minimization, secure on-device data storage and protection of data in transit.
Note. Applicability differs by application type. CON.8, CON.10 and APP.3.1 apply to web applications, while CON.8 and APP.1.4 apply to mobile applications.
How ImmuniWeb Helps You Achieve IT-Grundschutz Compliance
ImmuniWeb's web and mobile application security testing directly supports the secure-development and application-protection requirements of the relevant IT-Grundschutz modules. The mapping below is split by application type.
For web applications — CON.8.A5, CON.10.A, APP.3.1.A
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| CON.8.A5 | Security testing of software throughout the development lifecycle. | ImmuniWeb On-Demand, Neuron, Continuous |
| CON.10.A | Secure development of web applications: input validation, output encoding, authentication and session protection. | ImmuniWeb On-Demand, Neuron, Continuous |
| APP.3.1.A | Protection of deployed web applications and services against common attacks (OWASP), with access control and logging. | ImmuniWeb On-Demand, Neuron, Continuous, Discovery |
For mobile applications — CON.8.A5, APP.1.4.A
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| CON.8.A5 | Security testing of software throughout the development lifecycle (applies to mobile apps). | ImmuniWeb MobileSuite, Neuron Mobile |
| APP.1.4.A | Security of mobile applications: permission minimization, secure on-device storage and protection of data in transit. | ImmuniWeb MobileSuite, Neuron Mobile, Continuous |
ImmuniWeb On-Demand delivers manual web application penetration testing with a zero-false-positives SLA; ImmuniWeb Neuron and Neuron Mobile provide automated web and mobile security scanning; ImmuniWeb MobileSuite covers full mobile penetration testing; and ImmuniWeb Continuous embeds testing into your CI/CD pipeline for a secure SDLC. ImmuniWeb Discovery maps and monitors your external attack surface.
Why Is IT-Grundschutz Compliance Important?
IT-Grundschutz is the de-facto baseline for information security in Germany and the recognized route to ISO 27001 certification on the basis of IT-Grundschutz. For public-sector bodies and KRITIS operators, conformity is frequently a contractual or regulatory expectation.
Beyond compliance, fulfilling the application-security modules reduces the risk of breaches that originate in vulnerable web and mobile applications — one of the most common attack vectors — and demonstrates due diligence to regulators, partners and customers.