VERTIEFUNG
BSI IT-Grundschutz: Practitioners, Advisors, and the Accreditation Question
What distinguishes Practitioner from Advisor, and where does accreditation sit in the BSI path?
Last updated: 2026-05-03
BSI IT-Grundschutz: Practitioners, Advisors, and the Question of Accreditation
Anyone responsible for IT security in Germany can hardly avoid BSI IT-Grundschutz. The framework, developed by the BSI (Bundesamt für Sicherheit in der Informationstechnik - Germany's Federal Office for Information Security), is regarded as the de facto standard for public authorities, operators of critical infrastructure (KRITIS), and increasingly for mid-market companies as well. However, anyone who wants to obtain a personal certification in IT-Grundschutz faces a landscape that looks straightforward at first glance - and holds a few surprises on closer inspection.
What is BSI IT-Grundschutz?
IT-Grundschutz is a methodology developed by the BSI for the systematic implementation of information security. It is based on the IT-Grundschutz-Kompendium with its modules and requirements and is compatible with the international standard ISO/IEC 27001. Organizations can obtain ISO 27001 certification on the basis of IT-Grundschutz - a route taken in particular by federal authorities and operators of critical infrastructure. For individuals who wish to advise or audit in this environment, the BSI has established its own qualification system.
The Qualification Path: From Practitioner to Advisor
The BSI distinguishes between two central personnel certifications: the IT-Grundschutz Practitioner as the entry-level credential and the IT-Grundschutz Advisor as the advanced tier.
IT-Grundschutz Practitioner
The Practitioner is the basic qualification. It targets individuals who want to apply IT-Grundschutz within their own organization - for example, as an Information Security Officer (ISB), as a project lead, or as a specialist in the IT department.
- Scope: Three-day training with a BSI-licensed training provider
- Examination: 50 multiple-choice questions, 60 minutes, pass mark 60 % (30 correct answers). The examination is administered by the training provider according to uniform BSI requirements, not by the BSI itself.
- Validity: Unlimited in time - once passed, permanently valid
- Prerequisites: Formally none; basic knowledge of information security is recommended
The Practitioner is deliberately designed to be low-threshold. It is intended to give as many specialists as possible an entry point into the IT-Grundschutz methodology.
IT-Grundschutz Advisor
The Advisor is the higher qualification tier and considerably more demanding. It qualifies the holder to advise organizations on the introduction and implementation of IT-Grundschutz and to prepare audits.
Prerequisites (four blocks, all of which must be met):
- Educational background: Vocational training or a degree with a relationship to information security
- Professional experience: At least 5 years of IT professional experience within the last 8 years, of which at least 2 years in information security
- IT-Grundschutz experience: At least 5 years of experience in implementing IT-Grundschutz requirements
- Project experience: At least 40 person-days of practical experience in the last 3 years in a leading role, with IT-Grundschutz as a substantial project component, confirmed by clients or employers
In addition, candidates must have completed the Practitioner course and a two-day advanced training.
- Examination: Written, held at the BSI in Bonn, 80 questions in 90 minutes (75 multiple-choice + 5 case studies), pass mark 60 out of 100 points
- Validity: Three years, after which recertification is required
- Listed Advisors: At present, only around 287 IT-Grundschutz Advisors are publicly listed by the BSI
The low number of listed Advisors illustrates how selective this path is. Anyone who passes the examination is added to the public BSI list - a quality marker that clients recognize and ask for.
The Accreditation Question: BSI, DAkkS, and ISO 17024
The BSI is not accredited by the Deutsche Akkreditierungsstelle (DAkkS - the German national accreditation body) under ISO/IEC 17024. The BSI certifies by virtue of law - the legal basis is the BSI Act (BSIG §§ 52, 56). As a federal agency, the BSI operates on its own statutory basis, which neither requires nor provides for DAkkS accreditation.
In practice, this means: a BSI certificate enjoys high standing in Germany and is effectively mandatory for many regulated areas. However, in an international context or in the private sector, where ISO 17024 conformity is expected, the absence of accreditation can be a disadvantage.
The TÜV Route: Practitioner with DAkkS Accreditation
An alternative offering addresses precisely this gap: PersCert TÜV (the personnel certification body of TÜV Rheinland) offers the IT-Grundschutz Practitioner as an ISO 17024-compliant certificate (Certipedia ID 0000085851).
The curriculum is identical to the BSI curriculum. The training content is the same, and the requirements are congruent. The difference lies solely in the certification body: PersCert TÜV is accredited by DAkkS in accordance with ISO/IEC 17024 - the certificate therefore meets the international requirements for independent personnel certification.
Who Benefits from What?
The choice between the three paths depends on one's own role and the regulatory environment:
IT-Grundschutz Practitioner (BSI): The pragmatic choice for specialists in public authorities and companies that apply IT-Grundschutz internally. Cost-efficient, recognized in the German market, and no recertification required.
IT-Grundschutz Practitioner (PersCert TÜV): Worthwhile for individuals who work in an environment where ISO 17024 conformity is required or desired - for example, in consulting, in tenders with international participation, or in companies with global compliance requirements.
IT-Grundschutz Advisor (BSI): The right choice for experienced professionals who want to provide professional advisory services and to be listed on the BSI register. The effort is considerable, but the resulting visibility in the market is correspondingly high.
Cost Comparison
| Feature | Practitioner (BSI) | Practitioner (PersCert TÜV) | Advisor (BSI) |
|---|---|---|---|
| Training duration | 3 days | 3 days | Practitioner + 2 days advanced |
| Training cost | approx. 1,500–2,200 EUR | approx. 1,500–2,200 EUR | approx. 2,500–3,500 EUR (total) |
| Examination fee | included in training | approx. 250–400 EUR additional | approx. 500 EUR (BSI examination) |
| Examination venue | at the training provider | at the training provider / TÜV | BSI, Bonn |
| Examination format | 50 MC / 60 min / 60 % | 50 MC / 60 min / 60 % | 80 questions / 90 min / 60 pts. |
| Validity | unlimited | 3 years (ISO 17024) | 3 years |
| Recertification | not required | surveillance / recertification | 221 EUR + evidence of activity |
| Accreditation | none (training certificate) | DAkkS / ISO 17024 | none (BSI by virtue of law) |
| Professional experience | no formal requirement | no formal requirement | 5 yrs. IT + 2 yrs. IS + 5 yrs. Grundschutz + 40 person-days project experience |
| Total cost (approx.) | 1,500–2,200 EUR | 1,800–2,600 EUR | 3,000–4,000 EUR |
All prices are indicative and may vary depending on the provider and region. As of April 2026.
Conclusion
BSI IT-Grundschutz offers a well-thought-out qualification system that is not always intuitive on the accreditation question. The Practitioner is a solid entry point; the Advisor is a demanding specialization with a high barrier to entry and corresponding market value. Anyone who additionally needs international acceptance or formal ISO 17024 conformity should be aware of the TÜV route. The good news: the training content is identical - so the decision does not come down to the knowledge, but to the certificate that ultimately appears on paper.