BSI IT-Grundschutz Cross-Reference Table
Interactive mapping between BSI IT-Grundschutz building blocks and ISO 27001, NIST CSF 2.0, DORA, and NIS2.
Filter by framework:
Filter by layer:
| ID | Title | ISO 27001 | NIST CSF | DORA | NIS2 |
|---|---|---|---|---|---|
| APP.1.1 | APP.1.1 Office Products | A.8.26A.8.27A.8.25A.5.10 | PR.PS-02PR.PS-05PR.PS-06 | — | Art. 21(2)(e) |
| APP.1.2 | APP.1.2 Web Browsers | A.8.26A.8.3A.8.2 | PR.AA-05PR.PS-02 | — | Art. 21(2)(e) |
| APP.1.4 | APP.1.4 Mobile Applications (Apps) | A.8.26A.8.27A.8.24 | PR.DS-02PR.PS-06 | — | Art. 21(2)(e) |
| APP.2.1 | APP.2.1 General Directory Service | A.5.15A.5.16A.5.17A.5.18A.8.5 | PR.AA-01PR.AA-03PR.AA-05 | Art. 9(4)(b) | Art. 21(2)(i)Art. 21(2)(j) |
| APP.2.2 | APP.2.2 Active Directory Domain Services | A.5.15A.5.16A.8.2A.8.5 | PR.AA-01PR.AA-02PR.AA-03 | Art. 9(4)(b) | Art. 21(2)(i)Art. 21(2)(j) |
| APP.2.3 | APP.2.3 OpenLDAP | A.5.15A.5.16A.5.18A.8.2 | PR.AA-01PR.AA-05 | Art. 9(4)(b) | Art. 21(2)(i)Art. 21(2)(j) |
| APP.3.1 | APP.3.1 Web Applications and Web Services | A.8.26A.8.27A.8.28A.8.29A.5.14 | PR.PS-06PR.DS-02PR.AA-05 | Art. 9(4)(a) | Art. 21(2)(e) |
| APP.3.2 | APP.3.2 Web Servers | A.8.26A.8.27A.8.21 | PR.PS-06PR.DS-02 | Art. 9(4)(a) | Art. 21(2)(e) |
| APP.3.3 | APP.3.3 File Servers | A.5.14A.8.21A.8.26A.8.7 | PR.DS-02DE.CM-06 | — | Art. 21(2)(e) |
| APP.3.4 | APP.3.4 Samba | A.5.14A.8.7A.8.24 | PR.DS-02PR.DS-01 | — | Art. 21(2)(h) |
| APP.3.6 | APP.3.6 DNS Server | A.8.21A.8.26A.5.14 | PR.DS-02PR.IR-01 | — | Art. 21(2)(e) |
| APP.4.2 | APP.4.2 SAP ERP System | A.8.26A.8.3A.5.15A.8.9 | PR.AA-05PR.PS-01 | Art. 8(1)Art. 9(4)(b) | Art. 21(2)(e) |
| APP.4.3 | APP.4.3 Relational Databases | A.8.25A.8.26A.8.27A.8.28 | PR.PS-06ID.IM-02 | Art. 8(2) | Art. 21(2)(e) |
| APP.4.4 | APP.4.4 Kubernetes | A.8.25A.8.26A.8.27A.5.23 | PR.PS-06PR.PS-01GV.SC-07 | Art. 9(4)(a) | Art. 21(2)(e) |
| APP.4.6 | APP.4.6 SAP ABAP Programming | A.8.25A.8.26A.8.28A.5.19 | PR.PS-06GV.SC-05 | Art. 8(2) | Art. 21(2)(e)Art. 21(2)(d) |
| APP.5.2 | APP.5.2 Microsoft Exchange and Outlook | A.8.7A.8.26A.5.14A.8.8 | PR.PS-02DE.CM-09 | — | Art. 21(2)(e) |
| APP.5.3 | APP.5.3 General Email Client and Server | A.5.14A.8.7A.8.26 | PR.DS-02DE.CM-09 | — | Art. 21(2)(e) |
| APP.5.4 | APP.5.4 Unified Communications and Collaboration (UCC) | A.5.14A.8.26A.8.7 | PR.DS-02PR.PS-02 | — | Art. 21(2)(e) |
| APP.6 | APP.6 General Software | A.8.26A.8.7A.8.8A.5.10 | PR.PS-02PR.PS-05 | — | Art. 21(2)(e) |
| APP.7 | APP.7 Development of Custom Software | A.8.25A.8.26A.8.28A.5.8 | PR.PS-06GV.SC-05 | Art. 9(4)(a) | Art. 21(2)(e) |
| CON.1 | CON.1 Cryptographic Concept | A.8.24A.8.25A.5.1 | PR.DS-01PR.DS-02 | Art. 9(4)(e) | Art. 21(2)(h) |
| CON.10 | CON.10 Development of Web Applications | A.5.30A.5.29A.8.13A.5.1 | PR.IR-03RC.RP-01 | Art. 11(1)Art. 11(2) | Art. 21(2)(c) |
| CON.11.1 | CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD) | A.5.31A.5.34A.8.11A.5.10 | GV.OC-03PR.DS-01 | — | Art. 21(2)(a) |
| CON.2 | CON.2 Data Protection | A.5.9A.5.12A.5.13 | ID.AM-01ID.AM-05PR.DS-01 | — | Art. 21(2)(i) |
| CON.3 | CON.3 Data Backup Concept | A.8.13A.5.29A.5.30 | PR.DS-11RC.RP-03PR.IR-04 | Art. 12(1)Art. 12(4) | Art. 21(2)(c) |
| CON.6 | CON.6 Deletion and Destruction | A.5.14A.8.24A.5.10 | PR.DS-02PR.DS-10 | Art. 9(4)(d) | Art. 21(2)(h) |
| CON.7 | CON.7 Information Security during International Travel | A.6.7A.8.20A.8.21A.8.24 | PR.AA-05PR.DS-02PR.IR-01 | Art. 9(2) | Art. 21(2)(h) |
| CON.8 | CON.8 Software Development | A.8.25A.8.26A.8.27A.8.28A.8.29 | PR.PS-04PR.PS-06ID.IM-02 | Art. 8(2)Art. 9(4)(a) | Art. 21(2)(e) |
| CON.9 | CON.9 Information Exchange | A.5.20A.5.21A.5.22A.5.19 | GV.SC-01GV.SC-06 | Art. 28(1)Art. 30(1) | Art. 21(2)(d) |
| DER.1 | DER.1 Detection of Security-Relevant Events | A.8.16A.8.15A.5.25A.5.26 | DE.CM-01DE.CM-09DE.AE-02DE.AE-06 | Art. 10(1)Art. 10(2) | Art. 21(2)(b) |
| DER.2.1 | DER.2.1 Security Incident Handling | A.5.24A.5.25A.5.26A.5.27 | RS.MA-01RS.AN-03RS.CO-02 | Art. 17(1)Art. 19(1) | Art. 21(2)(b)Art. 23(1) |
| DER.2.2 | DER.2.2 Precautions for IT Forensics | A.5.26A.5.27A.5.28A.8.16 | RS.AN-06RS.MA-04DE.AE-07 | Art. 17(3)Art. 18(1) | Art. 21(2)(b) |
| DER.2.3 | DER.2.3 Remediation of Extensive Security Incidents | A.5.26A.5.28A.8.15A.8.16 | RS.AN-06RS.AN-03DE.AE-04 | Art. 17(3) | Art. 21(2)(b) |
| DER.3.1 | DER.3.1 Audits and Revisions | A.5.35A.5.36A.8.34 | ID.IM-01ID.IM-02GV.OV-02 | Art. 24(1)Art. 24(6) | Art. 21(2)(f) |
| DER.3.2 | DER.3.2 Revisions Based on the IS Revision Guide | A.5.35A.8.34A.5.36 | ID.IM-02ID.RA-01 | Art. 25(1)Art. 26(1) | Art. 21(2)(f) |
| DER.4 | DER.4 Emergency Management | A.5.29A.5.30A.5.26 | RC.RP-01RC.RP-02PR.IR-03 | Art. 11(1)Art. 11(6) | Art. 21(2)(b)Art. 21(2)(c) |
| IND.1 | IND.1 Process Control and Automation Technology | A.5.1A.5.9A.8.22A.5.29 | ID.AM-02GV.RM-06PR.IR-01 | — | Art. 21(2)(a) |
| IND.2.1 | IND.2.1 General ICS Component | A.8.9A.8.8A.8.22A.5.37 | PR.PS-01PR.IR-01ID.AM-02 | — | Art. 21(2)(e) |
| IND.2.2 | IND.2.2 Programmable Logic Controller (PLC) | A.8.9A.8.8A.8.22 | PR.PS-01PR.IR-01 | — | Art. 21(2)(e) |
| IND.2.3 | IND.2.3 Sensors and Actuators | A.8.9A.8.22A.8.21 | PR.PS-01PR.IR-01 | — | Art. 21(2)(e) |
| IND.2.4 | IND.2.4 Machine | A.8.9A.8.8A.7.8 | PR.PS-01PR.PS-03 | — | Art. 21(2)(e) |
| IND.2.7 | IND.2.7 Safety Instrumented Systems | A.8.22A.8.9A.8.8 | PR.IR-01PR.PS-01 | — | Art. 21(2)(e) |
| IND.3.2 | IND.3.2 Remote Maintenance in Industrial Environments | A.8.22A.8.9A.5.29A.5.30 | PR.IR-01PR.IR-02RC.RP-01 | — | Art. 21(2)(c) |
| INF.1 | INF.1 General Building | A.7.1A.7.2A.7.3A.7.4A.7.5 | PR.AA-06PR.IR-02DE.CM-02 | — | Art. 21(2)(a) |
| INF.10 | INF.10 Meeting, Event, and Training Rooms | A.7.3A.7.2A.7.9 | PR.AA-06 | — | — |
| INF.11 | INF.11 General Vehicle | A.7.10A.8.10A.5.10 | PR.DS-01PR.DS-03 | — | — |
| INF.12 | INF.12 Cabling | A.7.12A.7.11A.8.20 | PR.IR-02PR.PS-03 | — | — |
| INF.13 | INF.13 Technical Building Management | A.7.11A.7.5A.7.12A.8.20 | PR.IR-02PR.PS-03 | — | — |
| INF.14 | INF.14 Building Automation | A.7.11A.7.5A.5.29A.5.30 | PR.IR-02PR.IR-04RC.RP-01 | — | Art. 21(2)(c) |
| INF.2 | INF.2 Data Center and Server Room | A.7.1A.7.2A.7.5A.7.6A.7.11A.7.12 | PR.AA-06PR.IR-02DE.CM-02 | Art. 9(4)(a) | Art. 21(2)(a) |
| INF.5 | INF.5 Room and Cabinet for Technical Infrastructure | A.7.1A.7.2A.7.3A.7.11 | PR.AA-06PR.IR-02 | — | Art. 21(2)(a) |
| INF.6 | INF.6 Storage Media Archive | A.7.1A.7.2A.7.5 | PR.AA-06DE.CM-02 | — | — |
| INF.7 | INF.7 Office Workplace | A.7.3A.7.2A.7.9 | PR.AA-06 | — | — |
| INF.8 | INF.8 Home Workplace | A.7.9A.7.7A.5.10 | PR.AA-06PR.DS-01 | — | — |
| INF.9 | INF.9 Mobile Workplace | A.7.9A.7.7A.6.7 | PR.AA-06PR.DS-01 | — | — |
| ISMS.1 | ISMS.1 Security Management | A.5.1A.5.2A.5.4A.5.35A.5.36 | GV.OC-01GV.RM-01GV.PO-01GV.OV-01ID.IM-01 | Art. 5(1)Art. 5(2)Art. 6(1) | Art. 20(1)Art. 21(2)(a)Art. 21(2)(f) |
| NET.1.1 | NET.1.1 Network Architecture and Design | A.8.20A.8.21A.8.22A.5.1 | PR.IR-01PR.IR-02ID.AM-03 | Art. 9(4)(a) | Art. 21(2)(e) |
| NET.1.2 | NET.1.2 Network Management | A.8.20A.8.21A.8.9A.8.22 | PR.IR-01DE.CM-01PR.PS-01 | Art. 9(4)(a)Art. 10(1) | Art. 21(2)(e) |
| NET.2.1 | NET.2.1 WLAN Operation | A.8.20A.8.22A.8.24A.8.5 | PR.IR-01PR.DS-02PR.AA-03 | Art. 9(4)(a) | Art. 21(2)(e) |
| NET.2.2 | NET.2.2 WLAN Use | A.6.7A.8.24A.8.20A.8.5 | PR.AA-03PR.DS-02PR.IR-01 | Art. 9(2)Art. 9(4)(a) | Art. 21(2)(h) |
| NET.3.1 | NET.3.1 Routers and Switches | A.8.20A.8.21A.8.22A.8.23 | PR.IR-01DE.CM-01PR.PS-01 | Art. 9(4)(a) | Art. 21(2)(e) |
| NET.3.2 | NET.3.2 Firewall | A.8.20A.8.21A.8.22A.8.23 | PR.IR-01DE.CM-01 | Art. 9(4)(a) | Art. 21(2)(e) |
| NET.3.3 | NET.3.3 VPN | A.6.7A.8.24A.8.20A.5.15 | PR.AA-03PR.DS-02PR.IR-01 | Art. 9(4)(a) | Art. 21(2)(h) |
| NET.3.4 | NET.3.4 Network Access Control | A.8.16A.8.15A.8.20A.8.22 | DE.CM-01DE.AE-02PR.IR-01 | Art. 10(1) | Art. 21(2)(b) |
| NET.4.1 | NET.4.1 PBX Systems | A.8.21A.5.14A.8.24 | PR.DS-02PR.IR-01 | — | Art. 21(2)(e) |
| NET.4.2 | NET.4.2 VoIP | A.8.21A.5.14A.8.24 | PR.DS-02PR.IR-01 | — | Art. 21(2)(e) |
| NET.4.3 | NET.4.3 Fax Machines and Fax Servers | A.8.21A.8.24A.5.14 | PR.DS-02PR.IR-01 | — | Art. 21(2)(h) |
| OPS.1.1.1 | OPS.1.1.1 General IT Operations | A.5.37A.8.19A.8.32 | PR.PS-01PR.PS-02GV.PO-01 | Art. 9(4)(a) | Art. 21(2)(a) |
| OPS.1.1.2 | OPS.1.1.2 Proper IT Administration | A.8.8A.8.19A.8.32A.8.9 | PR.PS-02ID.RA-01DE.CM-01 | Art. 9(4)(c)Art. 10(1) | Art. 21(2)(e) |
| OPS.1.1.3 | OPS.1.1.3 Patch and Change Management | A.8.15A.8.16A.8.17A.5.25 | DE.CM-03DE.CM-09DE.AE-02 | Art. 10(1)Art. 10(2) | Art. 21(2)(b) |
| OPS.1.1.4 | OPS.1.1.4 Protection Against Malware | A.8.7A.8.19A.8.16 | DE.CM-09PR.PS-02PR.PS-05 | Art. 9(4)(c)Art. 10(1) | Art. 21(2)(e) |
| OPS.1.1.5 | OPS.1.1.5 Logging | A.8.15A.8.16A.8.17A.5.26 | DE.CM-01DE.CM-03DE.AE-03 | Art. 10(2) | Art. 21(2)(b) |
| OPS.1.1.6 | OPS.1.1.6 Software Testing and Approvals | A.8.32A.5.37A.8.9 | PR.PS-03ID.AM-02 | Art. 8(1) | Art. 21(2)(a) |
| OPS.1.1.7 | OPS.1.1.7 System Management | A.8.34A.5.35A.5.36 | ID.IM-01ID.IM-03ID.RA-03 | Art. 24(1) | Art. 21(2)(f) |
| OPS.1.2.2 | OPS.1.2.2 Archiving | A.5.23A.5.19A.5.20 | GV.SC-04GV.SC-07PR.IR-01 | Art. 28(2)Art. 30(2) | Art. 21(2)(d) |
| OPS.1.2.4 | OPS.1.2.4 Telework | A.5.10A.8.11A.5.34 | PR.DS-01PR.DS-10 | — | Art. 21(2)(i) |
| OPS.1.2.5 | OPS.1.2.5 Remote Maintenance | A.5.22A.5.20A.8.30 | GV.SC-06GV.SC-09 | Art. 28(4)Art. 30(1) | Art. 21(2)(d) |
| OPS.1.2.6 | OPS.1.2.6 NTP Time Synchronization | A.5.37A.8.19A.8.22 | PR.PS-01PR.IR-01 | — | Art. 21(2)(e) |
| OPS.2.2 | OPS.2.2 Cloud Use | A.5.23A.5.19A.5.20A.5.21 | GV.SC-04GV.SC-07PR.IR-01 | Art. 28(1)Art. 30(2) | Art. 21(2)(d) |
| OPS.2.3 | OPS.2.3 Use of Outsourcing | A.5.19A.5.20A.5.22 | GV.SC-03GV.SC-05 | Art. 28(2)Art. 28(4) | Art. 21(2)(d) |
| OPS.3.2 | OPS.3.2 Providing Outsourcing | A.5.19A.5.20A.5.22A.5.35 | GV.SC-07GV.SC-10 | Art. 28(7)Art. 30(3) | Art. 21(2)(d) |
| ORP.1 | ORP.1 Organisation | A.5.1A.5.2A.5.3A.5.4A.5.31 | GV.RR-01GV.RR-02GV.PO-01 | Art. 5(4) | Art. 20(1)Art. 21(2)(a) |
| ORP.2 | ORP.2 Personnel | A.6.1A.6.2A.6.4A.6.5A.6.6 | GV.RR-02PR.AA-05 | — | Art. 21(2)(i) |
| ORP.3 | ORP.3 Information Security Awareness and Training | A.6.3A.5.1 | PR.AT-01PR.AT-02 | Art. 13(1)Art. 5(4) | Art. 21(2)(g) |
| ORP.4 | ORP.4 Identity and Access Management | A.5.15A.5.16A.5.18A.8.2A.8.5 | PR.AA-01PR.AA-02PR.AA-05PR.AA-06 | Art. 9(4)(b) | Art. 21(2)(i)Art. 21(2)(j) |
| ORP.5 | ORP.5 Compliance Management (Requirements Management) | A.5.31A.5.32A.5.33A.5.34A.5.36 | GV.OC-03GV.PO-02 | Art. 5(1) | Art. 21(2)(a) |
| SYS.1.1 | SYS.1.1 General Server | A.8.9A.8.8A.8.2A.7.9A.8.19 | PR.PS-01PR.PS-02PR.PS-03 | Art. 8(1)Art. 9(4)(a) | Art. 21(2)(e) |
| SYS.1.2.2 | SYS.1.2.2 Windows Server 2012 | A.8.9A.8.8A.8.2A.8.22 | PR.PS-01PR.PS-02PR.IR-01 | Art. 8(1)Art. 9(4)(a) | Art. 21(2)(e) |
| SYS.1.2.3 | SYS.1.2.3 Windows Server | A.8.9A.8.8A.8.2 | PR.PS-01PR.PS-02 | Art. 8(1) | Art. 21(2)(e) |
| SYS.1.3 | SYS.1.3 Servers Running Linux and Unix | A.8.9A.8.8A.8.2 | PR.PS-01PR.PS-02 | Art. 8(1) | Art. 21(2)(e) |
| SYS.1.5 | SYS.1.5 Virtualization | A.8.22A.8.23A.8.9A.5.23 | PR.IR-01PR.PS-01GV.SC-07 | Art. 9(4)(a)Art. 28(2) | Art. 21(2)(e) |
| SYS.1.6 | SYS.1.6 Containerization | A.8.22A.8.9A.8.8A.5.23 | PR.IR-01PR.PS-01 | Art. 9(4)(a) | Art. 21(2)(e) |
| SYS.1.7 | SYS.1.7 IBM Z | A.8.9A.8.8A.8.2 | PR.PS-01PR.PS-02 | — | Art. 21(2)(e) |
| SYS.1.8 | SYS.1.8 Storage Solutions | A.8.9A.8.8A.7.8 | PR.PS-01PR.PS-03PR.IR-02 | Art. 9(4)(a) | Art. 21(2)(c) |
| SYS.1.9 | SYS.1.9 Terminal Server | A.8.9A.8.8A.7.8A.7.1 | PR.PS-01PR.PS-03 | — | Art. 21(2)(e) |
| SYS.2.1 | SYS.2.1 General Client | A.8.9A.8.8A.8.7A.5.10 | PR.PS-01PR.PS-02PR.PS-05 | Art. 8(1) | Art. 21(2)(e) |
| SYS.2.2.3 | SYS.2.2.3 Clients Running Windows | A.8.9A.8.8A.8.7 | PR.PS-01PR.PS-02 | Art. 8(1) | Art. 21(2)(e) |
| SYS.2.3 | SYS.2.3 Clients Running Linux and Unix | A.8.9A.8.8A.8.7 | PR.PS-01PR.PS-02 | — | Art. 21(2)(e) |
| SYS.2.4 | SYS.2.4 Clients Running macOS | A.8.9A.8.8A.8.7 | PR.PS-01PR.PS-02 | — | Art. 21(2)(e) |
| SYS.2.5 | SYS.2.5 Client Virtualization | A.8.9A.8.8A.8.7 | PR.PS-01PR.PS-02 | — | Art. 21(2)(e) |
| SYS.2.6 | SYS.2.6 Virtual Desktop Infrastructure | A.8.9A.8.7A.8.8 | PR.PS-01PR.PS-02 | — | Art. 21(2)(e) |
| SYS.3.1 | SYS.3.1 Laptops | A.6.7A.8.9A.5.10A.7.9 | PR.PS-01PR.AA-05 | — | Art. 21(2)(e) |
| SYS.3.2.1 | SYS.3.2.1 General Smartphones and Tablets | A.8.9A.5.10A.7.9A.8.1 | PR.PS-01PR.AA-05 | — | Art. 21(2)(e) |
| SYS.3.2.2 | SYS.3.2.2 Mobile Device Management (MDM) | A.8.1A.8.9A.5.10A.7.9 | PR.PS-01PR.AA-05 | — | Art. 21(2)(e) |
| SYS.3.2.3 | SYS.3.2.3 iOS (for Enterprise) | A.8.1A.8.9A.5.10 | PR.PS-01PR.AA-05 | — | Art. 21(2)(e) |
| SYS.3.2.4 | SYS.3.2.4 Android | A.8.1A.8.9A.5.10A.7.9 | PR.PS-01PR.AA-05 | — | Art. 21(2)(e) |
| SYS.3.3 | SYS.3.3 Mobile Phone | A.8.1A.7.9A.5.10A.8.9 | PR.PS-01PR.AA-05 | — | Art. 21(2)(e) |
| SYS.4.1 | SYS.4.1 Printers, Copiers, and Multifunction Devices | A.8.21A.8.9A.8.20 | PR.IR-01PR.PS-01 | Art. 9(4)(a) | Art. 21(2)(e) |
| SYS.4.3 | SYS.4.3 Embedded Systems | A.8.9A.7.9A.5.10 | PR.PS-01PR.PS-03 | — | Art. 21(2)(e) |
| SYS.4.4 | SYS.4.4 General IoT Device | A.8.9A.8.8A.5.10 | PR.PS-01PR.PS-02 | — | Art. 21(2)(e) |
| SYS.4.5 | SYS.4.5 Removable Storage Media | A.8.9A.5.10A.7.9 | PR.PS-01PR.AA-05 | — | Art. 21(2)(e) |
These mappings are provided for reference and do not replace a professional compliance assessment.