An IT security concept is proof that your organization does not leave its information security to chance, but manages it systematically. It describes which assets you protect, what protection needs they have, and what measures you use to reduce risks to an acceptable level. Since the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) came into force on December 6, 2025, a viable security concept is no longer a voluntary undertaking for a large part of the German economy, but a regulatory obligation.
This article shows you what an IT security concept must accomplish, what legal requirements underlie it, and how you can achieve an audit-proof result in just a few clearly defined steps.
What is an IT security concept?
An IT security concept, often used synonymously with the term information security concept, is the central documentation of your information security. It records which business processes, applications, IT systems, and infrastructures fall within the scope of consideration, how worthy of protection they are, and what technical and organizational measures ensure their protection.
It is important to distinguish it from the Information Security Management System (ISMS): The ISMS is the overarching management cycle that defines responsibilities, processes, and rules. The IT security concept is the documented core of this cycle. It translates the abstract requirements into concrete, comprehensible specifications for your specific scope of consideration. A security concept for IT without an underlying management process remains merely a document; an ISMS without a documented concept remains merely a declaration of intent. The two belong together.
Two frameworks have become established in Germany as a methodological basis: the BSI IT-Grundschutz and the international ISO/IEC 27001. With BSI Standards 200-1 (establishing an ISMS), 200-2 (methodology), and 200-3 (risk analysis), IT-Grundschutz provides a structured methodology together with practice-oriented building blocks. ISO/IEC 27001 defines an internationally recognized framework of requirements with the controls in Annex A. Both approaches lead to a robust security concept. The choice depends on the size, industry, and regulatory environment of your organization.
Why an IT security concept is now mandatory
The regulatory landscape has fundamentally tightened. The NIS2UmsuCG applies without a transition period: Affected entities must be able to implement the risk management measures pursuant to Section 30 of the BSIG as of its entry into force. Around 29,500 companies in 18 sectors fall under the new obligations—starting at 50 employees or €10 million in revenue, extending well beyond the traditional KRITIS group. The registration deadline with the BSI expired on March 6, 2026; late registration is still possible but does not protect against sanctions. Violations can result in fines of up to €10 million, and management is personally liable for implementation.
In addition to NIS2, sector-specific obligations remain in place. Electricity and gas grid operators are required by the IT Security Catalogue pursuant to Section 11 of the EnWG to operate and certify an ISMS based on ISO/IEC 27001. Anyone processing personal data is obligated under the GDPR to implement appropriate technical and organizational measures. And for the automotive industry, TISAX® establishes its own industry-wide recognized assessment framework. These requirements largely overlap. A cleanly structured security concept forms the common foundation on which compliance with multiple sets of regulations can be demonstrated simultaneously.
The good news: The BSI has confirmed that a security concept built according to IT-Grundschutz covers the essential NIS2 requirements—from risk management and incident response to supply chain security. A solidly developed IT security concept therefore contributes to fulfilling several obligations at once. Compliance thus evolves from a mere obligatory exercise into an opportunity to demonstrate security and trust.
Creating an IT security concept: the essential steps
Creating an IT security concept may seem like a significant undertaking at first. However, if you break the task down into clearly defined steps, it becomes manageable. The following approach is based on the established IT-Grundschutz methodology and can equally be applied to a concept in accordance with ISO/IEC 27001.
Step 1: Defining the scope and taking stock
First, define the scope of consideration: Which organizational units, locations, and processes should the concept cover? A precisely defined scope prevents the effort from getting out of hand and ensures that no relevant areas are overlooked. Next, document the information network—that is, the business-critical processes, the underlying applications, IT systems, network connections, as well as the rooms and buildings. This structural analysis is the foundation: Only what has been documented can be protected.
Step 2: Determining protection requirements
In the second step, you determine how worthy of protection the identified assets are. The three protection goals of confidentiality, integrity, and availability are decisive. For each target object, you define what impact a loss would have—usually in the categories normal, high, and very high. The determined protection requirement directly drives the effort involved in the subsequent measures: A system with very high protection requirements calls for different precautions than a process with normal requirements.
Step 3: Analyzing risks and deriving measures
Now you carry out a target/actual comparison: Which requirements do you already meet, and where are the gaps? In IT-Grundschutz, you assign the appropriate modules to your target objects—structured by layers such as security management, organization and personnel, operations, or networks and communication—and check their implementation status in the IT-Grundschutz check. For areas with elevated protection requirements, add an in-depth risk analysis in accordance with BSI Standard 200-3. From the identified gaps, derive prioritized measures—weighted by criticality and cost-benefit ratio.
This is the point at which a fundamental strategic decision is made that shapes the scope of the entire concept: BSI Standard 200-2 recognizes three protection approaches that differ in depth and effort. Basic protection delivers a foundational security level with manageable effort and is suitable for getting started or when resources are limited. Core protection initially focuses resources on the organization's particularly valuable "jewels"—that is, those assets whose compromise would threaten the organization's very existence. Standard protection fully covers basic and standard requirements and is a prerequisite for certification to ISO/IEC 27001 based on IT-Grundschutz. Which approach is the right one depends on your protection requirements, company size, and objectives. A deliberately chosen entry point prevents you from getting bogged down and can be expanded incrementally later on—particularly given the time pressure imposed by NIS2, it is often more sensible to be able to demonstrate compliance with a solid basic protection than to aim for full standard protection and fall behind schedule in the process.
Step 4: Implementing and documenting measures
You now put the planned measures into practice on the technical, organizational, and personnel levels. Comprehensive documentation is critical: For every requirement, it should be traceable whether it has been implemented, partially implemented, or deliberately not implemented—each with a justification. This audit trail is what makes your concept audit-ready in the face of both internal reviews and external audits.
Step 5: Reviewing and maintaining effectiveness
An IT security concept is not a one-off document but an ongoing process. You monitor the effectiveness of the measures, respond to new threats and changing systems, and update the concept on a regular basis. It is precisely this cycle—identifying risks, deriving measures, reviewing effectiveness, and making adjustments—that keeps information security manageable over the long term and demonstrable to regulatory authorities.
Common pitfalls
In practice, security concepts rarely fail due to a lack of expertise, but rather due to their implementation in day-to-day operations. Three patterns are particularly common:
· scattered Excel spreadsheets that quickly become outdated and fail to provide reliable evidence;
· isolated solutions in which risks, controls, and documents are not linked to one another;
· lack of ongoing updates, so that at the next audit the concept no longer reflects the actual situation.
Anyone who addresses these points from the outset saves considerable effort during recertification.
Building your IT security concept with Athereon GRC
Athereon GRC is the leading European GRC platform and was designed to solve precisely these challenges. The software guides you in a structured way through every step—from recording your assets and determining protection requirements to audit-proof documentation of your measures.
The platform is framework-agnostic: It maps the relevant standards—ISO/IEC 27001, BSI IT-Grundschutz, TISAX®, NIS2, and others—with editorially prepared standard texts and enables implementation with precision at the requirement level. Using the mapping function, you consolidate substantively identical requirements from different frameworks: Document once, provide evidence multiple times. For organizations facing multiple parallel obligations, this is a key lever for reducing effort.
You are supported in this by the AI agent LAiKA. It operates according to a clear escalation logic: On the shared foundation, LAiKA Assist takes on fundamental tasks and, when needed, hands off to specialized agents. The Infrastructure Mapper supports the inventory of your information network, the Compliance Assistant helps with work at the requirement level, and the Questionnaire Assistant makes it easier to complete questionnaires and prepare for audits. Throughout, the guiding principle applies: "Nothing without your OK": LAiKA proposes and prepares; the decision remains with you.
Athereon GRC is developed and hosted in Germany—100% Made in Germany, with German data centers and GDPR-compliant data processing. In addition to the ISMS module, the ERM, BCM, DPM, and SRM modules cover further GRC disciplines, enabling you to manage information security, risk and business continuity management, and data protection in a single platform.
This turns a regulatory obligation into a manageable process, and compliance into an opportunity to demonstrate security and trust.
Would you like to set up your IT security concept in just a few steps? Discover the ISMS module from Athereon GRC and learn how to document your information security in a structured, audit-proof, and cross-standard manner.

.svg.webp)



