How is the protection need of an IT application determined in practice?
Per application, assess each basic value (C, I, A) using "what if…" questions from the users' perspective, based on the data it processes — and document the justification.
For every application, the protection need is determined separately for the three basic values Vertraulichkeit (confidentiality), Integrität (integrity), Verfügbarkeit (availability):
- Basis: the protection need of the data processed by the application
- Tool: the previously defined damage scenarios
- Perspective: the users of the application — ask "Was wäre, wenn…?" ("What would happen if this data leaked / were wrong / were unavailable?")
- Output: the category per basic value with a written justification that even management can follow
Example (BSI web course): for personnel data processing, confidentiality = high ("personnel data with strictly protected details could be disclosed"), integrity = normal ("erroneous data is detected and corrected quickly"), availability = normal ("outages up to a week can be bridged manually").
Tip: The justification text matters as much as the category — an auditor (and your management) reads the why, not the label.