Secani
Secani
  • Company
  • Roadmap
Request demo

Summarize with AI

Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok
SIBB Startups
Berlin
Kofinanziert von der Europäischen Union
Secani

Jonathan Bezdek

Wörther Straße 9

10435 Berlin


hello@secani.com

Product

  • Security
  • Roadmap
  • Documentation
  • OSCAL

Legal

  • Privacy Policy
  • Terms
  • Cookie settings
  • Legal Notice

Company

  • Company
  • Contact
  • Blog

Support

  • Help
    Blog

    IT-Grundschutz++ meets OSCAL

    Derya AltinayCEO
    7 min read
    July 17, 2026

    Explore with AI

    Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok

    On this page

    From PDF compendium to structured dataWhy the BSI chose OSCALWhat changes for Grundschutz practiceA measured transitionOur take

    From PDF compendium to structured data

    For decades, IT-Grundschutz – Germany's national security baseline – was above all a body of text: compendium, standards, and implementation guidance as PDFs, maintained in documents, analyzed in spreadsheets. At the end of September 2025, the BSI officially ended that era and published the Stand-der-Technik-Bibliothek on GitHub – with IT-Grundschutz++ as a machine-readable catalog.

    This is more than a new storage format. The requirements are available as an OSCAL catalog in XML, JSON, and YAML. Tools can read them directly, reference them, and link them to an organization's own implementation – no retyping, no guessing versions, no page numbers.

    • Requirements get stable, machine-readable identifiers
    • Updates appear traceably in a public repository
    • ISMS tools read the catalog directly instead of manual re-entry

    Why the BSI chose OSCAL

    The format decision is remarkable. The BSI could have defined its own national data format – and deliberately chose not to. OSCAL is an internationally established standard led by NIST; adopting it keeps German organizations compatible with international frameworks and with a fast-growing tool ecosystem.

    Germany thereby joins a larger movement: in the US, FedRAMP is moving to machine-readable authorization packages, and the tooling around the standard is growing quickly. If you want the foundations first, our introduction What is OSCAL? explains how the standard is structured.

    What changes for Grundschutz practice

    For day-to-day ISMS work, the format change matters more than it first sounds. Today, a substantial share of Grundschutz work consists of transferring requirements from documents into your own structure: into spreadsheets, into GRC tools, into security concepts. Every new edition of the compendium triggers the same exercise again.

    With a machine-readable catalog, the logic flips. The tool already knows the requirements, and the actual work shifts to where it belongs: assignment, implementation, evidence, and decisions.

    • Target-versus-actual comparisons can be generated automatically instead of maintained by hand
    • Changes between catalog versions become diff-able and explainable
    • Evidence and justifications link to stable requirement identifiers

    Machine-readable does not mean automatically compliant

    An OSCAL catalog does not do the security work for anyone. It makes the work structurable: teams that cleanly link requirements, implementation, and evidence gain auditability and speed. Teams that only switch formats have merely built a prettier archive.

    A measured transition

    Existing security concepts based on Edition 23 do not lose their value overnight – the modernization is a transition that the BSI is detailing step by step. The direction, however, is unambiguous, and teams that organize their structure early benefit twice: today's work gets cleaner, and the later switch gets smaller.

    Three preparations have proven useful in our view. They pay off regardless of when an organization formally moves to IT-Grundschutz++.

    • Structure existing implementations and evidence so they are unambiguously mapped to requirements
    • Audit your tools: can they read OSCAL catalogs natively – or only import and forget?
    • Get first-hand experience with the format, for example by opening and checking a catalog in the OSCAL Validator

    Our take

    We built Secani OSCAL-native from day one – out of the conviction that compliance content should be structured data long before regulators demand it. That the BSI is now taking IT-Grundschutz exactly there confirms the path. If you are preparing the transition to IT-Grundschutz++ and want more than a prettier archive, talk to us.

    Build auditable compliance workflows

    Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.

    Request demo

    Related posts

    All posts
    Regulatorik
    NIS2: Germany's grace period is ending

    Only about a third of affected companies registered with the BSI on time. Until the end of July 2026 this can be fixed – after that, it gets expensive.

    Read
    OSCAL
    FedRAMP goes machine-readable

    With RFC-0024 and the Consolidated Rules 2026, FedRAMP makes structured authorization data mandatory. The deadlines are staggered – the direction is unambiguous.

    Read
    OSCAL
    The OSCAL tools landscape

    The OSCAL ecosystem is growing fast: viewing and validating are well covered, while authoring and day-to-day workflows remain the biggest gap.

    Read