What is BSI Standard 200-3?

BSI Standard 200-3 is an elementary component of the BSI’s IT-Grundschutz methodology, along with Standards 200-1 and 200-2. The standard contains procedures for performing risk analyses to ensure basic IT protection. The standard bundles all risk-related work steps for implementing IT-Grundschutz. In 2017, standard 200-3 replaced the previous standard 100-3.

What is BSI Standard 200-3?

The title of BSI Standard 200-3 is “Risk analysis based on IT-Grundschutz”. Together with BSI Standards 200-1 and 200-2, it forms the basic elements of the Federal Office for Information Security’s (BSI) IT-Grundschutz methodology. The standard is aimed at institutions such as companies or public authorities.

Among other things, it contains procedures for creating and performing risk analyses based on a basic IT protection survey. The BSI standard bundles all risk-related steps for implementing basic IT protection.

200-3 can be used if institutions such as public authorities or companies are already working with the IT-Grundschutz methodology and would like to perform a risk analysis in addition to the IT-Grundschutz analysis. Based on the BSI security concept and the IT-Grundschutz compendium, 200-3 presents a risk analysis that can be executed in individual steps.

The document addresses information security managers, executives, project managers, security consultants, security experts, and security officers. As part of a modernization of the BSI’s IT-Grundschutz methodology, Standard 200-3 replaced the older Standard 100-3. Among other things, the revision introduced a simplified threat model. A direct reference to the ISO standard ISO/IEC 31000 is established in the annex to the standard.

Objectives and content of BSI Standard 200-3

The objective of BSI Standard 200-3 is to provide a recognized procedure that is as easy to use as possible and that can be used to easily identify, assess and manage information security risks. Risk analyses are particularly relevant for IT objects that require a high level of protection and whose confidentiality, integrity, or availability must be ensured. BSI Standard 200-3 describes the step-by-step implementation of a risk analysis.

The following basic steps are suggested:

1. Preparation of the risk analysis
2. Preparation of an overview with possible hazards
3. Expansion of the overview with additional hazards
4. Classification of the risks
5. Treatment of the risks
6. Observation of the risks
7. Consolidation with the safety concept
8. Feedback of the results into the security process

The complete process of risk analysis is an elementary part of information security management. Individual risks are determined by evaluating the frequency of occurrence of the risks and the amount of damage caused by the risks in the event of damage. Various security measures are taken to address the risks, and their effectiveness can be verified through comparative analysis.

Brief review of 100-3

In its basic features, the methodology of the Federal Office for Information Security’s IT-Grundschutz has existed since 1994. As part of modernization, a revision of the three BSI standards 100-1, 100-2, and 100-3, which date back to 2008, took place in 2017. The updated standards were given 200 numbers and were published in 2017.

New in 200-3 is the bundling of all risk-related work steps and aspects of risk management into one document. In addition, a simplified hazard model was introduced. In total, the revision combined 450 individual, specific hazards from the hazard catalogs into 46 elemental hazards. The elementary hazards are compatible with comparable international standards and are both product and technology neutral.