Quiz Entry - updated: 2026.07.05
How are the requirements in the IT-Grundschutz-Kompendium classified?
Requirements are graded by protection level (Basis → Standard → high protection need) and by bindingness (MUSS → SOLL → KANN).
* The two grading dimensions — protection level (Basis · Standard · erhöht) and bindingness (MUSS · SOLL · KANN). *
Two independent grading dimensions:
By protection level:
- Basis (basic) — the absolute minimum, first measures to implement
- Standard — corresponds to "normal protection need"; this level is the basis for certification "ISO 27001 based on IT-Grundschutz"
- Erhöhter Schutzbedarf (high protection need) — additional requirements for sensitive areas
By bindingness (modal verbs, used very deliberately):
- MUSS / DARF NUR ("must / may only") — mandatory parts, no exceptions
- SOLL ("should") — deviation possible, but must be justified and documented
- KANN ("can") — optional, best practice
The IT-Grundschutz requirements are deliberately more concrete than the corresponding generic ISO 27001 controls, and detailed implementation guidance (analogous to ISO 27002) exists for them.
Tip: Same logic as RFC 2119's MUST/SHOULD/MAY — security standards love this three-step bindingness ladder.
Go deeper:
IT-Grundschutz-Kompendium (BSI) — Quelle der Anforderungs-Systematik (Basis/Standard/erhöht und MUSS/SOLL/KANN).