- Initial assessment based on BSI IT-Grundschutz: Scope, relevant modules, and the target certification level are clearly defined.
- Jira as a control instrument: Requirements, risks, and measures are brought together – with transparent responsibilities, deadlines, and workflows.
- Confluence as an evidence base: Policies, logs, and documentation are bundled in an audit-proof manner and linked with Jira.
- Phased plan with quick wins: Growing maturity and structured evidence management all the way to certification.
In many federal authorities, state authorities, and municipal administrations, a similar item appears on the agenda: IT security in accordance with BSI IT-Grundschutz, ideally with certification. At the same time, specialist procedures, digitalization projects, and staff changes are ongoing. Time for a structured security project is often scarce. This is exactly where Honicon comes in.
Honicon, a small IT consulting firm with a focus on the Atlassian ecosystem, has been supporting public administrations and public-sector organizations for years. Jira, Confluence, and Assets form the backbone in many projects for structured processes, traceability, and audit-proof documentation. The team includes a BSI IT-Grundschutz–certified specialist who also works as an external information security officer within government structures.
Everything starts with a goal.
Within a year, the organization could report to citizens and supervisors that its IT security meets the highest standards and that a BSI certificate has been obtained.
At first glance, the path there may seem long. With a clear roadmap, complexity is significantly reduced.
Months 1–3 – Analysis, Scope, Structure
The process begins with an initial assessment. Which business processes are critically important? Which information flows through specialist applications, collaboration platforms, and interfaces? In this phase, Honicon uses the modular structure of BSI IT-Grundschutz as a framework. This results in a concrete target state for each authority:
- Scope
- relevant modules
- desired certification level
Jira supports this phase as a central control instrument. Requirements, risks, and measures converge there, responsibilities are transparently assigned, and deadlines are clearly visible. Confluence serves in parallel as a knowledge repository for policies, logs, and work instructions.
From a resource perspective: During these first three months, a core team from information security, IT operations, and organizational units is usually sufficient. A few hours per week are invested in workshops, documentation, and coordination. The budget remains manageable and focuses on consulting, training, and basic configuration of the Atlassian systems.
An initial quick win emerges from clearly defined responsibilities. Accountability for information domains, applications, and protection needs assessments is documented in black and white. This provides management and specialist departments with tangible results.
Months 4–6 – Implementation in Daily Operations, Initial Measures
After the analysis comes the transition into everyday administrative operations. Formal requirements evolve into practical processes. Typical examples include structured change processes, defined reporting channels for security incidents, and binding rules for administrator privileges.
Jira maps these processes as workflows. A change request passes through clearly defined steps, approvals are logged, and follow-up questions no longer run through scattered email chains. Assets provides the foundation for an orderly inventory of systems, applications, servers, and interfaces – a central prerequisite for BSI IT-Grundschutz.
From a resource perspective: Effort increases slightly in this phase. IT works more intensively on processes, while specialist departments contribute practical expertise. For many administrations, an approach with short, regular meetings is more suitable than long project sessions. Budget items include configuration, training, and possibly initial automation.
Another quick win becomes visible in transparency: Management levels can see at a glance how many measures have already been implemented, which risks remain open, and which BSI IT-Grundschutz modules already appear to be solidly covered.
Months 7–9 – Consolidation, Evidence, Fine-Tuning
In the third stage, the project visibly approaches certification level. Technical and organizational measures are in place; now the focus shifts to evidence.
Confluence is well suited as a central platform for policies, procedural instructions, emergency manuals, and training materials. Versioning, permissions, and links to Jira tickets later make it easier for auditors to trace findings.
Honicon’s BSI IT-Grundschutz expert structures the evidence collection together with the authority. For each relevant module, a package of documents, tickets, logs, and technical evidence is created. An external information security officer in this role provides distance from day-to-day operations and communicates with auditors on equal footing.
From a resource perspective: Effort shifts more strongly toward documentation and quality assurance. Specialist departments review processes once again from a realistic perspective, while IT supplements technical details. The budget focuses on support from the ISB, audit preparation workshops, and possibly adjustments to Atlassian workflows.
Quick wins in this phase include a structured emergency concept, initial test runs for recovery scenarios, and training for key roles. Even before the actual audit, this increases the organization’s real resilience.
Months 10–12 – Audit Preparation and Certification
Toward the end of the twelve-month plan, the formal aspects come to the forefront. Internal pre-audits simulate the later assessment. Critical questions, missing evidence, and unclear wording are identified in time.
In this phase, Jira provides a kind of audit trail: Which measure arose from which risk, who was responsible, what deadline applied, and what result is available? Confluence, in parallel, keeps all official documents, policies, and logs in a consistent structure.
Practical tips from consulting experience feed into the preparation: clear roles during audit meetings, short paths for follow-up questions, well-organized digital folder structures, unambiguous document naming, and calm moderation toward auditors.
Ideally, the authority emerges from the audit not only with a certificate, but with confidence: information security is no longer treated as a temporary project, but as a permanent element of internal governance.
Honicon as a Partner Along the Entire Journey
Honicon supports this journey from the initial high-level assessment through to evaluation of the audit. The consulting offering is explicitly aimed at public-sector clients in the planning phase who view BSI IT-Grundschutz not as an abstract rule set, but as a realistic foundation for secure, well-documented administrative processes.
Experience with Jira, Confluence, Assets and related Atlassian systems meets deep expertise in BSI IT-Grundschutz. From this combination emerges an approach that consistently uses technical platforms to support information security – instead of introducing additional isolated solutions.
At the end of the described year, ideally the initial vision has become reality: an authority that does not merely communicate IT security, but substantiates it. Citizens, political bodies, and supervisory authorities see a clear signal. Information security moves from a peripheral topic to the center of responsible administrative practice.