Quiz Entry - updated: 2026.06.20
What is BSI Standard 200-3 and when is a supplementary risk analysis required?
BSI 200-3 covers risk analysis based on IT-Grundschutz. It's needed when the standard Grundschutz measures aren't sufficient — for assets with high security requirements or unusual scenarios.
* The BSI 200-3 process; a supplementary risk analysis kicks in only where standard Grundschutz isn't enough. *
When standard IT-Grundschutz is sufficient:
- The standard security measures from the IT-Grundschutz catalogs typically cover most situations
When a supplementary risk analysis is needed:
- Assets with particularly high security requirements
- Assets not covered by the IT-Grundschutz catalogs
- Assets used in scenarios not foreseen by IT-Grundschutz
The BSI risk analysis process:
- Structural analysis — Map your IT landscape
- Protection needs assessment — Determine what needs how much protection
- Modeling — Map IT-Grundschutz building blocks to your assets
- Baseline security check I — Gap analysis (target vs. actual)
- Supplementary security analysis — Identify where Grundschutz isn't enough
- If needed: Risk analysis (threat overview, additional threats, threat assessment, risk treatment, consolidation)
- Baseline security check II — Verify after implementing additional measures
- Implementation — Put measures into practice