BSI IT-Grundschutz Standard 200-4 vs. 100-4 - This changes with the update
Whether it's technical issues, user errors, or ransomware, almost every modern business has to deal with incidents. To minimize the impact of these disruptions on day-to-day operations and protect critical business processes, business continuity management (BCM) systems use compressed planned and organized procedures that minimize resilience within their own organization as well as damage and downtime.
In the following article, we highlight the procedure according to the current BSI IT-Grundschutz Standard 200-4, compare it with the previous standard (Standard 100-4) and show how you can use it to sensibly secure your own company in the event of a disaster.
What is a Business Continuity Management System (BCMS)?
According to the definition, a BCMS is a compression of procedures (planned and organized) that support time-critical business processes (tasks and workflows) of institutions against failures. Time-critical processes are those whose failure can only be tolerated for a defined period of time, otherwise serious or even existentially threatening consequences are to be expected. However, business continuity management does not apply to minor business interruptions (disruptions), but exclusively to the subsequent escalation levels (emergencies and crises). As a rule, the company is protected against financial, personnel and reputational damage. Ultimately, the BCMS usually consists of three different areas:
- An Emergency Plan,
- A crisis management plan and
- An Operational Recovery Plan.
What is BSI IT-Grundschutz Standard 200-4?
The standard describes the establishment, maintenance and continuous improvement of a BCMS based on ISO/IEC 22301:2019 (second edition). It is the successor to the previous BSI Standard 100-4 and adds further important points to emergency management.
This is reflected in particular in the scope. Instead of the 123-page documentation of its predecessor, IT-Grundschutz Standard 200-4 now offers around 300 pages of information for inexperienced companies and institutions. The aim of the revision was, in particular, to facilitate the introduction of a BCMS in companies via a three-stage model (reactive BCMS, build-up BCMS and standard BCMS), and to highlight synergies with information security management systems (ISMS), other standards in the 200-x series and IT service continuity management (ITSCM). Compared to the previous version, the new 200-4 has, among other things, a simplified Business Impact Analysis (BIA) and, as part of this assessment, continues to allow for the possibility of taking into account process-related as well as resource-related dependencies.
Furthermore, the implementation of a BCMS now follows the Plan-Do-Check-Act (PDCA) cycle (analogous to the BSI IT-Grundschutz Standards 200-x).
How does the new stage model according to BSI IT-Grundschutz Standard 200-4 work?
Unlike in the past, there are now three types of BCMS from which companies can choose.
- The Reactive BCMS (entry into Business Continuity Management):
This is exclusively a transitional model. The aim is to accelerate emergency management, but this model focuses exclusively on the most important processes and does not provide any restart and recovery plans, for example. However, it is possible to switch from this model to both a build and a standard BCMS. - The build-up BCMS (the step-by-step introduction of Business Continuity Management):
Unlike the reactive BCMS, this covers significantly more areas. For example, more extensive framework conditions are analyzed and the documentation is also much more comprehensive. Nevertheless, pre-filtering still takes place within the framework of the Business Impact Analysis (BIA), so that not all risks are fully recorded and thus also dealt with. Compared to the standard BCMS, however, this model offers better scalability, especially in terms of resource requirements. This model is aimed in particular at companies with a certain amount of previous experience in the area of business continuity management. Furthermore, any legal and other regulatory requirements must be taken into account and checked when selecting this model. - The standard BCMS (Business Continuity Management according to ISO/IEC 22301:2019):
In contrast to the previous two models, a standard BCMS provides complete coverage and, comparatively, maximized resilience for one's own company, since all business areas, processes and risks are considered. However, the considerable resource requirements (financial, technical, personnel) in particular must be taken into account during implementation. Nevertheless, with this model it is the only variant that ensures conformity to ISO/IEC 22301:2019. (Similar to the conformity of the standard safeguarding according to BSI IT-Grundschutz Standard 200-1 to ISO/IEC 27001:2017.)
Why and especially how should I use BSI IT-Grundschutz Standard 200-4?
For inexperienced companies, the best practices and requirements described provide an initial insight into the topic and can help to identify a suitable procedure and determine which aspects should be the focus of particular attention. More experienced institutions, on the other hand, can use the stage model to assess the maturity of their own BCMS. In addition, the requirements catalog provided by the BSI offers the opportunity to ensure the completeness of one's own processes and measures and to use the exercises and tests described as a basis for one's own emergency exercises or to supplement them.
The introduction of the BSI IT-Grundschutz Standard 200-4 can thus rather be understood as an extension to the previous standards and should also be used if another standard (such as ISO/IEC 22301:2019) is used to set up one's own BCMS.
Author: Robin Enste