Protection requirements analysis
A protection requirements analysis determines, for each information asset, how high the protection needs are in the three core values of confidentiality, integrity and availability, forming the basis for selecting appropriate security measures.
The protection requirements analysis is a central step in information security management. It assigns a protection level to every asset worth protecting, such as information, IT systems, applications, rooms or communication links. This is assessed separately for the three classic core values of information security: confidentiality (protection against unauthorised disclosure), integrity (protection against unauthorised or undetected modification) and availability (timely usability for authorised purposes). The result is typically expressed in categories such as "normal", "high" and "very high", derived from the potential impact of damage.
Methodologically, the protection requirements analysis in the BSI IT-Grundschutz approach relies on predefined damage scenarios, for example breaches of laws and contracts, impairment of the right to informational self-determination, danger to life and limb, impaired ability to perform tasks, negative external effects and financial impact. For composite assets, inheritance principles apply: the maximum principle transfers the highest protection requirement of the processed information to the system, the cumulation principle accounts for the accumulation of multiple assets, and the distribution principle can lower the protection requirement where functions are redundantly distributed.
The outcome of the protection requirements analysis directly drives the selection and depth of security measures and the downstream risk management: assets with high or very high protection needs require a supplementary risk analysis, whereas normal protection needs can be met with standard safeguarding under IT-Grundschutz or equivalent measures. A documented and regularly updated protection requirements analysis is therefore an essential building block of an effective ISMS and supports the evidence of appropriate technical and organisational measures required by ISO/IEC 27001 and the NIS2 Directive.
Legal Basis
BSI Standard 200-2 (IT-Grundschutz methodology); ISO/IEC 27001 (in particular Annex A.5.12 Classification of information); Art. 21 NIS2 Directive (EU) 2022/2555
Practical Example
A municipal utility operating critical infrastructure carries out a protection requirements analysis for its billing system. Because the system processes personal consumption data, confidentiality is rated "high"; because incorrect invoices would have significant financial and legal consequences, integrity is also rated "high". Availability is initially assessed as "normal", since an outage of a few hours is tolerable. Owing to the high rating, the information security officer triggers a supplementary risk analysis and records the justifications in an audit-proof manner for the upcoming TISAX or ISO 27001 audit.