LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

When must a supplementary security analysis (ergänzende Sicherheitsanalyse) be performed?

When a target object has high/very high protection needs, has no fitting building block, or is operated in an atypical way or environment.

Radial hub of the three triggers for an ergänzende Sicherheitsanalyse.

* The three triggers for an ergänzende Sicherheitsanalyse — high/very-high Schutzbedarf, no fitting Baustein, or untypical use (any one suffices). *

The ergänzende Sicherheitsanalyse is required for individual target objects if at least one of three triggers applies:

  1. Protection need "hoch" or "sehr hoch" in at least one of the three basic values (C, I, A) — standard Grundschutz only guarantees the normal level
  2. No suitable building block exists in the Kompendium for the object — its risks were never analyzed by the BSI
  3. The object is operated in an untypical manner or environment — the block's assumptions may not hold (e.g. a server in a vehicle, standard software in a safety-critical context)

Its possible outcomes: either the Grundschutz measures (perhaps with additions) are deemed sufficient, or further investigations — e.g. a full risk analysis per BSI 200-3 — are necessary.

Tip: Three triggers, one logic: the standard blocks' built-in risk assessment doesn't apply (too much at stake, no block, or wrong assumptions).

Go deeper:

From Quiz: ISM / IT-Grundschutz (BSI) | Updated: Jul 05, 2026