SiKo Tool

Sicherheitskonzept

IT-Grundschutz compliance that actually gets done.

A purpose-built GRC tool for BSI IT-Grundschutz Standard 200-2. Replaces month-long manual documentation with a guided, auto-synced workflow that keeps organisations continuously audit-ready.

Next.jsBSI IT-Grundschutz 200-2Dexie.jsIndexedDBPublic Sector

The Standard

What is IT-Grundschutz?

IT-Grundschutz is Germany's most widely adopted IT security framework, published by the Federal Office for Information Security (BSI). The Standard 200-2 defines how organisations systematically identify, assess, and protect their information assets.

Compliance is mandatory or strongly recommended for German federal agencies, state administrations, and critical infrastructure operators (KRITIS), and serves as the path to ISO 27001 certification via the BSI Gold Standard.

Federal agenciesKRITIS operatorsISO 27001 pathState administrations

Methodology phases (BSI 200-2)6

IT-Grundschutz (2023) building blocks available111

Typical requirements per concept200–500

Duration without tool3–6 months

Possible duration with toolWeeks

The Reality

A process few can afford to do right

IT-Grundschutz is thorough. That thoroughness is the problem. In practice, compliance requires months of expert work, most of it manual.

Month-long documentation cycles

A full IT security concept for a medium-sized organisation requires 3–6 months. Maintaining and updating it annually adds ongoing overhead that most teams cannot absorb.

Disconnected documents, constant re-entry

Teams typically work across separate Excel sheets for each phase. The same asset appears six times. When something changes, every sheet has to be updated manually, and inconsistencies creep in.

High barrier, low actual compliance

Because the process is so burdensome, many organisations produce a concept once and never revisit it. A security concept that isn't maintained doesn't protect anyone and fails audits.

External tools don't fit the standard

Generic GRC platforms require significant configuration and don't map naturally to the BSI 200-2 phases and building block catalogue. The result: more overhead, not less.

Audit preparation is its own project

Assembling the final SiKo document from scattered files takes days. When auditors request specific evidence or traceability, the data isn't structured to provide it quickly.

Protection needs assessed repeatedly

In A2, each asset's Schutzbedarf must be assessed individually. With dozens of linked systems, this is painstaking. Any change in A1 requires redoing the assessment by hand.

The Tool

A GRC tool built specifically for this standard

The SiKo Tool brings the entire BSI 200-2 methodology into a single browser-based application. Instead of six disconnected documents, there is one data model. Enter an asset once; it propagates through every phase automatically.

The tool was built with a specific goal: make IT-Grundschutz compliance achievable for organisations that could never afford the conventional approach. Security that's actually maintained, not documented once and forgotten.

Protection needs pre-filled from A1 information categories

Integrated BSI catalogue, no external lookups

Complete Word document export in one click

Audit-ready data structure at any point in the process

Before

✕6 separate Excel files, one per phase

✕Same asset re-entered 6 times

✕Everything assessed manually, for each asset

✕Manual document assembly for audits

✕Concept outdated within months

With SiKo Tool

✓One application, all six phases connected

✓Asset entered once, synced everywhere

✓Everything populated automatically

✓Complete Word export in one click

✓Concept stays current: update assets, not documents

Methodology

Six phases, one connected workflow

The tool maps exactly to the BSI 200-2 phases. The standard is the navigation structure, not something to work around.

A1Scope & Assets

Define IT systems, processes, and rooms. Assign information categories; this data feeds every phase that follows.

A2Protection Needs

Protection requirements are pre-filled from A1 information categories. When multiple systems share information, the highest requirement level applies automatically.

A3Modelling

Map assets to BSI building blocks. The tool suggests modules based on asset type; 111 blocks with requirements are embedded.

A4Basic Check

Work through all requirements per building block. Track implementation status across every asset in one view.

A5Risk Analysis

Identify and assess risks for assets with elevated protection needs, drawing directly from A1 and A2 data.

A6Consolidation

One-click export: complete SiKo document with cover page, TOC, cross-reference matrices, and risk overview.

Capabilities

What makes it different

Every feature was designed to eliminate a specific pain point in the conventional IT-Grundschutz process.

Auto-syncing assets

Change an asset in A1 and every downstream phase updates automatically. Protection needs, modelling, risks, and measures stay in sync without manual effort.

BSI catalogue built in

All 111 building blocks with requirements and threat catalogue are embedded. No external document lookup during modelling. Everything is in the tool.

Search, filter, scale

Full-text search and filtering across all asset tables. A guided phase structure keeps work organized as the concept grows to hundreds of assets and requirements.

One-click export

Generates a complete SiKo document in seconds: cover page, table of contents, cross-reference matrices, risk overview. Also structured Excel and versioned JSON.

Data stays local

Everything runs in the browser. No server, no cloud. The concept never leaves the machine. Docker-deployable, no Office dependency, works on any device.

Audit-ready at any point

Structured data across all phases means you can generate the current state of your IT security concept at any time, not just at the end of a months-long project.

Back to all projects