LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Why must protection-need categories be individualized per organization, and which damage scenarios are used for this?

Because "considerable damage" means something completely different for a corner shop than for a bank — each organization defines the categories using six typical damage scenarios.

A fixed money threshold (say, €100k) would be existential for a small business and a rounding error for a multinational. So each organization defines what normal/high/very high means for itself — e.g. a company might set "normal" as: financial damage below €50,000, no noticeable disruption beyond 24 hours, minor legal consequences, no lasting reputational harm.

The six typical damage scenarios used to anchor the definitions:

  1. Violations of laws, regulations, or contracts
  2. Impairment of informational self-determination (privacy rights of individuals)
  3. Impairment of personal integrity (physical harm to persons)
  4. Impairment of task fulfilment (business/mission disruption)
  5. Negative external effects (reputation/image damage)
  6. Financial consequences

For each scenario and category you describe the expected impact — these descriptions later make every individual assessment justifiable and comparable.

Go deeper:

From Quiz: ISM / IT-Grundschutz (BSI) | Updated: Jul 05, 2026