LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

What is BSI Standard 200-3 and when is a supplementary risk analysis required?

BSI 200-3 covers risk analysis based on IT-Grundschutz. It's needed when the standard Grundschutz measures aren't sufficient — for assets with high security requirements or unusual scenarios.

Eight-step BSI risk analysis serpentine from structural analysis to implementation.

* The BSI 200-3 process; a supplementary risk analysis kicks in only where standard Grundschutz isn't enough. *

When standard IT-Grundschutz is sufficient:

  • The standard security measures from the IT-Grundschutz catalogs typically cover most situations

When a supplementary risk analysis is needed:

  • Assets with particularly high security requirements
  • Assets not covered by the IT-Grundschutz catalogs
  • Assets used in scenarios not foreseen by IT-Grundschutz

The BSI risk analysis process:

  1. Structural analysis — Map your IT landscape
  2. Protection needs assessment — Determine what needs how much protection
  3. Modeling — Map IT-Grundschutz building blocks to your assets
  4. Baseline security check I — Gap analysis (target vs. actual)
  5. Supplementary security analysis — Identify where Grundschutz isn't enough
  6. If needed: Risk analysis (threat overview, additional threats, threat assessment, risk treatment, consolidation)
  7. Baseline security check II — Verify after implementing additional measures
  8. Implementation — Put measures into practice

From Quiz: ISM / Standards & Frameworks I (ISO, BSI) | Updated: Jun 20, 2026