What is an IT Security Concept?
An IT Security Concept is a key document in public IT tenders. It describes the technical and organizational measures (TOMs) a bidder implements to ensure the confidentiality, integrity, and availability of data and IT systems. In public procurement, the IT security concept is often a mandatory suitability or award criterion.
Legal Framework
| Legal basis | Relevance |
|---|---|
| BSI IT-Grundschutz | German standard security methodology |
| ISO 27001 | International ISMS standard |
| GDPR Art. 32 | Technical and organizational measures |
| IT Security Act 2.0 | Requirements for critical infrastructure operators |
| EVB-IT Cloud Terms | IT security requirements for cloud services |
Contents of an IT Security Concept
Organizational security: ISMS, security organization, employee training, incident response, business continuity management.
Technical security: Network security, encryption, authentication and access control, patch management, backup and recovery.
Physical security: Data center security, location and geo-redundancy, environmental monitoring.
Data protection: Personal data processing, data processing agreement, data location (EU/EEA requirement), deletion concept.
Requirement Levels in Tenders
| Level | Requirement | Typical Tender |
|---|---|---|
| Basic | BSI baseline protection | Simple IT services |
| Standard | BSI standard protection | Government IT |
| Enhanced | BSI core protection + ISO 27001 | Critical infrastructure |
| Very high | BSI C5 / ISO 27017 / SOC 2 | Cloud services for authorities |
Common Mistakes in Bids
- Too generic security descriptions without reference to the specific contract
- Missing certificates (ISO 27001 or BSI Grundschutz)
- Unclear data location statements
- No incident response description
- Forgetting subcontractor security requirements
Patterno Helps
With Patterno-HIT, you can specifically find IT tenders with specific security requirements. Our AI recognizes requirements like "BSI Grundschutz," "ISO 27001," "C5 attestation," or "critical infrastructure" and filters tenders matching your security profile.