LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

When and why do you need BSI-Standard 200-3 (Risikoanalyse)?

When the standard baseline controls in the IT-Grundschutz-Kompendium are not enough — typically for assets with high protection needs, components not covered by the Kompendium, or unusual operating scenarios.

Four steps: apply baseline, find gaps, run 200-3 risk analysis on those objects only, add extra controls

* 200-3 only kicks in where the baseline is not enough — you pay the risk-analysis tax on selected objects, not everything. *

The trigger conditions:

  • Objects with besonders hohen Sicherheitsanforderungen.
  • Objects that are nicht im IT-Grundschutz-Kompendium behandelt.
  • Objects that are operated in Einsatzszenarien outside the assumed range of the Kompendium (e.g., extreme environments, special compliance).

200-3 specifies the additional risk analysis on top of the baseline. It references ISO 27005 as the conceptual foundation.

Workflow:

1. Apply IT-Grundschutz baseline (Bausteine from Kompendium).
2. Find objects where baseline is not enough.
3. Run BSI 200-3 risk analysis on those objects only.
4. Add the resulting additional controls to the Sicherheitskonzept.

Tip: This is the elegant part of Grundschutz: you only pay the risk-analysis tax where it actually matters. Compared to a pure-ISO programme (which assumes you risk-analyse everything from scratch), 200-3 saves enormous amounts of effort.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026