When and why do you need BSI-Standard 200-3 (Risikoanalyse)?
When the standard baseline controls in the IT-Grundschutz-Kompendium are not enough — typically for assets with high protection needs, components not covered by the Kompendium, or unusual operating scenarios.
* 200-3 only kicks in where the baseline is not enough — you pay the risk-analysis tax on selected objects, not everything. *
The trigger conditions:
- Objects with besonders hohen Sicherheitsanforderungen.
- Objects that are nicht im IT-Grundschutz-Kompendium behandelt.
- Objects that are operated in Einsatzszenarien outside the assumed range of the Kompendium (e.g., extreme environments, special compliance).
200-3 specifies the additional risk analysis on top of the baseline. It references ISO 27005 as the conceptual foundation.
Workflow:
1. Apply IT-Grundschutz baseline (Bausteine from Kompendium).
2. Find objects where baseline is not enough.
3. Run BSI 200-3 risk analysis on those objects only.
4. Add the resulting additional controls to the Sicherheitskonzept.
Tip: This is the elegant part of Grundschutz: you only pay the risk-analysis tax where it actually matters. Compared to a pure-ISO programme (which assumes you risk-analyse everything from scratch), 200-3 saves enormous amounts of effort.
Go deeper:
BSI-Standards overview (official, DE) — 200-3 bundles the risk-related work steps of IT-Grundschutz.
IT baseline protection (Wikipedia, EN) — where the extra risk analysis fits after the baseline.