BSI-Standard 200-3: Risk Analysis based on IT-Grundschutz
The BSI-Standard 200-31 forms part of the IT Grundschutz and provides guidance for performing risk analysis in systems where high security risks may arise.
For this, BSI 200-3 defines a two-step methodology for structured risk assessment:
-
Threat Overview and Evaluation
A threat summary is worked off systematically, identifying relevant assets and their potential threats. Existing and/or planned safeguards are evaluated. -
Risk Treatment and Safeguard Assessment
The second step focuses on evaluating the adequacy of security safeguards and determines how identified risks should be handled.
Organisations may decide to accept certain risks, for example when
- the impact of the risk is rather low
- the costs of mitigation are disproportionately high compared to the likelihood of occurrence, even if the potential damage could be significant.
Such decisions are addressed during phase 2, where strategies such as avoidance, acceptance and mitigation are developed and documented.