LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does the combined approach of Grundschutz and risk analysis work as a process (BSI 200-3)?

Implement Grundschutz first (~80% of cases); where residual risk remains too large, run a focused risk analysis and supplement measures — that's the BSI 200-3 procedure.

Flow: delimit system, apply Grundschutz, decision Restrisiko too large, then done or run BSI 200-3.

* The combined two-stage approach — apply Grundschutz, then where Restrisiko stays too large run a BSI 200-3 risk analysis. *

Process flow of the combined approach:

  1. Delimit the system and perform a rough risk consideration
  2. Apply Grundschutz (covers roughly 80% — "80% Grundschutz")
  3. Ask: Restrisiko zu gross? (residual risk too large?)
    • No (damage potential small) → done
    1. Yes → perform a comprehensive risk analysis for those areas (~20% extended protection) and supplement Grundschutz with additional measures in the relevant areas

Within the BSI 200-2 process chain, this appears as: structure analysis → protection needs assessment → Grundschutz analysis (modeling + basic security check) → supplementary security analysis → supplementary risk analysis (BSI 200-3) → consolidation of measures → implementation.

BSI 200-3 provides the consistent risk-analysis method on top of Grundschutz, reusing the elementary threats as its threat catalog.

Go deeper:

From Quiz: ISM / IT-Grundschutz (BSI) | Updated: Jul 05, 2026