LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

In BSI IT-Grundschutz controls, what's the difference between MUSS, SOLLTE, and KANN?

MUSS / DARF NUR = mandatory; SOLLTE / SOLLTE NUR = expected unless justified exception; KANN = optional best practice.

Ladder from MUSS=MUST (mandatory) to SOLLTE=SHOULD to KANN=MAY (optional), noting RFC 2119 origin

* Binding-force ladder mirroring RFC 2119: MUSS = MUST, SOLLTE = SHOULD, KANN = MAY. *

The keywords reflect the binding force of each control:

Keyword Meaning Implementation reality
MUSS / DARF NUR Verpflichtend (mandatory) If not done, the deviation must be documented and justified
SOLLTE / SOLLTE NUR Empfohlen (expected) — abweichen möglich Default; deviation needs reasoning, but is allowed
KANN Best practice (optional) Implemented if time and budget allow

For example, compare an ISO 27001 Annex A entry (A.11.1.2 Physische Zugangskontrolle and A.11.1.3 Sicherung von Lieferzonen) with a BSI Grundschutz module ("INF.1.A1 Zutrittsregelung und -kontrolle (Leiter Organisation)"). The BSI module is much more concrete and uses MUSS/SOLLTE/KANN keywords to set the binding force.

Tip: This vocabulary is borrowed from RFC 2119 (IETF). MUSS = MUST, SOLLTE = SHOULD, KANN = MAY. Many other standards use the same convention — it's the de-facto language of normative documents in IT.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026