How does the combined approach of Grundschutz and risk analysis work as a process (BSI 200-3)?
Implement Grundschutz first (~80% of cases); where residual risk remains too large, run a focused risk analysis and supplement measures — that's the BSI 200-3 procedure.
* The combined two-stage approach — apply Grundschutz, then where Restrisiko stays too large run a BSI 200-3 risk analysis. *
Process flow of the combined approach:
- Delimit the system and perform a rough risk consideration
- Apply Grundschutz (covers roughly 80% — "80% Grundschutz")
- Ask: Restrisiko zu gross? (residual risk too large?)
- No (damage potential small) → done
- Yes → perform a comprehensive risk analysis for those areas (~20% extended protection) and supplement Grundschutz with additional measures in the relevant areas
Within the BSI 200-2 process chain, this appears as: structure analysis → protection needs assessment → Grundschutz analysis (modeling + basic security check) → supplementary security analysis → supplementary risk analysis (BSI 200-3) → consolidation of measures → implementation.
BSI 200-3 provides the consistent risk-analysis method on top of Grundschutz, reusing the elementary threats as its threat catalog.
Go deeper:
Lektion 7: Risikoanalyse nach BSI 200-3 (BSI Online-Kurs) — Schritt-für-Schritt-Risikoanalyse nach BSI-Standard 200-3 auf dem Grundschutz aufsetzend.
BSI-Standards (200-3 Risikoanalyse) — Einordnung von 200-3 in die Standard-Familie.