LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How are the requirements in the IT-Grundschutz-Kompendium classified?

Requirements are graded by protection level (Basis → Standard → high protection need) and by bindingness (MUSS → SOLL → KANN).

Two-column classification — protection level Basis/Standard/erhöht beside bindingness MUSS/SOLL/KANN.

* The two grading dimensions — protection level (Basis · Standard · erhöht) and bindingness (MUSS · SOLL · KANN). *

Two independent grading dimensions:

By protection level:

  • Basis (basic) — the absolute minimum, first measures to implement
  • Standard — corresponds to "normal protection need"; this level is the basis for certification "ISO 27001 based on IT-Grundschutz"
  • Erhöhter Schutzbedarf (high protection need) — additional requirements for sensitive areas

By bindingness (modal verbs, used very deliberately):

  • MUSS / DARF NUR ("must / may only") — mandatory parts, no exceptions
  • SOLL ("should") — deviation possible, but must be justified and documented
  • KANN ("can") — optional, best practice

The IT-Grundschutz requirements are deliberately more concrete than the corresponding generic ISO 27001 controls, and detailed implementation guidance (analogous to ISO 27002) exists for them.

Tip: Same logic as RFC 2119's MUST/SHOULD/MAY — security standards love this three-step bindingness ladder.

Go deeper:

From Quiz: ISM / IT-Grundschutz (BSI) | Updated: Jul 05, 2026