In BSI IT-Grundschutz controls, what's the difference between MUSS, SOLLTE, and KANN?
MUSS / DARF NUR = mandatory; SOLLTE / SOLLTE NUR = expected unless justified exception; KANN = optional best practice.
* Binding-force ladder mirroring RFC 2119: MUSS = MUST, SOLLTE = SHOULD, KANN = MAY. *
The keywords reflect the binding force of each control:
| Keyword | Meaning | Implementation reality |
|---|---|---|
| MUSS / DARF NUR | Verpflichtend (mandatory) | If not done, the deviation must be documented and justified |
| SOLLTE / SOLLTE NUR | Empfohlen (expected) — abweichen möglich | Default; deviation needs reasoning, but is allowed |
| KANN | Best practice (optional) | Implemented if time and budget allow |
For example, compare an ISO 27001 Annex A entry (A.11.1.2 Physische Zugangskontrolle and A.11.1.3 Sicherung von Lieferzonen) with a BSI Grundschutz module ("INF.1.A1 Zutrittsregelung und -kontrolle (Leiter Organisation)"). The BSI module is much more concrete and uses MUSS/SOLLTE/KANN keywords to set the binding force.
Tip: This vocabulary is borrowed from RFC 2119 (IETF). MUSS = MUST, SOLLTE = SHOULD, KANN = MAY. Many other standards use the same convention — it's the de-facto language of normative documents in IT.
Go deeper:
RFC 2119 — requirement keywords (IETF) — the MUST/SHOULD/MAY convention BSI's MUSS/SOLLTE/KANN borrows.
IT baseline protection (Wikipedia, EN) — how binding-force keywords are used inside Bausteine.