When must a supplementary security analysis (ergänzende Sicherheitsanalyse) be performed?
When a target object has high/very high protection needs, has no fitting building block, or is operated in an atypical way or environment.
* The three triggers for an ergänzende Sicherheitsanalyse — high/very-high Schutzbedarf, no fitting Baustein, or untypical use (any one suffices). *
The ergänzende Sicherheitsanalyse is required for individual target objects if at least one of three triggers applies:
- Protection need "hoch" or "sehr hoch" in at least one of the three basic values (C, I, A) — standard Grundschutz only guarantees the normal level
- No suitable building block exists in the Kompendium for the object — its risks were never analyzed by the BSI
- The object is operated in an untypical manner or environment — the block's assumptions may not hold (e.g. a server in a vehicle, standard software in a safety-critical context)
Its possible outcomes: either the Grundschutz measures (perhaps with additions) are deemed sufficient, or further investigations — e.g. a full risk analysis per BSI 200-3 — are necessary.
Tip: Three triggers, one logic: the standard blocks' built-in risk assessment doesn't apply (too much at stake, no block, or wrong assumptions).
Go deeper:
Lektion 7: Risikoanalyse (BSI Online-Kurs) — Die Auslöser für eine weitergehende Analyse (hoher/sehr hoher Schutzbedarf, kein passender Baustein, untypischer Einsatz).