IT Grundschutz Compliance Workbook - Microsoft Azure Germany - German Edition is a new workbook that was developed by Hisolutions AG, one of the most renowned consulting and auditing companies in Germany.  It supports our clients to achieve their IT Grundschutz certification with solutions and workloads deployed on Microsoft Azure Germany. It´s based on the most recent version of IT Grundschutz, covering the relevant sections for cloud usage.

Microsoft Azure is Microsoft’s public cloud computing platform, offering a wide range of services from Infrastructure as a Service (IaaS) to Platform as a Service (PaaS) and Software as a Service (SaaS). Azure is especially suited for use in hybrid environments combining both on-premises and cloud infrastructure.

Microsoft Cloud Germany aims to offer all Azure services, but is physically based in Germany and offers additional protection from access by authorities from other jurisdictions violating domestic laws. This is also a requirement of German privacy law which strictly limits the transfer of personal data to other countries.

In Germany the Federal Office for InformationSecurity (Bundesamt für Sicherheit in der Informationstechnik, BSI) provides the IT-Grundschutz methodology; consisting of an ISO 27001 compatible ISMS (BSI Standards 100-1, 100-2), a dedicated risk analysis method (BSI Standard 100-3), and the IT-Grundschutz Catalogues, a standard set of threats and safeguards for typical business environments.

The purpose of this workbook is to help customers of Microsoft Cloud Germany who wish to use Microsoft Cloud Germany Services implement the IT-Grundschutz methodology within the scope of their existing or planned ISO 27001 certification based on IT-Grundschutz.

This workbook describes how to model cloud services as part of the Information Domain1, i.e. the certifiable scope of the ISMS, and how to apply the IT-Grundschutz methodology to applications within the cloud. An outline of how to implement the central IT-Grundschutz module M 1.17 Cloud Usage is given on a persafeguard- basis.