Protection Requirement Categories in Cyber Security

Not every IT system in an organization deserves the same level of protection. A publicly accessible website has different requirements than an ERP system containing customer data or the control system of a production facility. This is exactly where protection requirement categories come into play, defined in BSI Standard 200-2 as part of the IT-Grundschutz methodology. They form the foundation for a systematic and proportionate approach to securing enterprise IT.

The Three Protection Requirement Categories

The BSI distinguishes three levels into which every information asset, IT system, or business process is classified.

• Normal means the impact of a security incident remains limited and manageable. Financial damage typically stays below 50,000 euros, and downtimes exceeding 24 hours are tolerable. This classification is appropriate for many standard applications and internal systems that do not handle sensitive data.

• High applies when an incident carries considerable consequences. These can include substantial contractual penalties, noticeable reputational damage, or financial losses ranging from 50,000 to 500,000 euros. Systems processing personal data or business-critical applications frequently fall into this category.

• Very high describes scenarios that threaten the organization's very existence. A system failure or data loss at this level can jeopardize the survival of the organization, result in criminal liability, or in the worst case endanger the physical safety of individuals. Operators of critical infrastructure operate at this level by definition in their relevant domains.

How Protection Requirements Are Determined

The assessment is not performed as a blanket evaluation but differentiated according to the three core values of information security: confidentiality, integrity, and availability. Each core value is assessed separately to determine the impact of a potential breach. The BSI defines six damage scenarios that feed into this evaluation: violations of laws or contracts, data protection infringements, threats to personal safety, impairment of task fulfillment, reputational damage, and financial impact.

A human resources management system, for instance, carries a high protection requirement for confidentiality because it contains sensitive employee data. Its availability, however, may be classified as normal if an outage of one to two days does not block critical processes. The highest result across all scenarios then determines the overall category for each core value.

Inheritance: Maximum Principle, Cumulation, and Distribution

In practice, servers rarely run just a single application. The BSI addresses this complexity through three inheritance principles described in the protection requirements assessment.

The maximum principle states that an IT system inherits the highest protection requirement of all applications running on it. If a server hosts one application with normal and another with high protection requirements, the entire server is classified as high.

The cumulation effect occurs when multiple applications with normal protection requirements each run on the same system. Individually, the failure of any single application may be tolerable, but the simultaneous failure of all applications can cause considerable damage. In such cases, the protection requirement of the overall system is elevated.

The distribution effect works in the opposite direction. For redundantly designed systems, such as clusters or geographically distributed data storage, the protection requirement of individual components can be set lower than that of the overall system, because the failure of a single component is absorbed by the others.

From Classification to Implementation

The protection requirement category directly determines which IT-Grundschutz approach is applied. For systems with normal protection requirements, the standard approach using modules from the IT-Grundschutz Compendium is sufficient. For high or very high protection requirements, additional measures apply, and a supplementary risk analysis according to BSI Standard 200-3 becomes necessary.

For organizations, this translates into clear prioritization. Rather than rolling out maximum security measures across the board, budgets and resources can be directed precisely where the potential damage is greatest. A file server for non-critical documents does not need a high-availability solution, while the production control system deserves redundant safeguards.

Protection Requirement Assessment as a Foundation for Certifications

Organizations pursuing ISO 27001 certification based on IT-Grundschutz cannot avoid a properly documented protection requirement assessment. It is a mandatory component of the security concept and is reviewed during the audit. For NIS2-regulated companies, systematic categorization also provides a solid basis for demonstrating the required risk management measures.

The assessment is not a one-time exercise. When business activities change, new systems are introduced, or the threat landscape shifts, classifications must be reviewed and adjusted accordingly. In practice, an annual review cycle has proven effective, supplemented by event-driven reassessments when significant changes occur.

Conclusion

The BSI's protection requirement categories are a proven instrument for designing IT security in a systematic and resource-efficient manner. They compel organizations to consciously address which assets truly need protecting and what consequences a security incident would entail. Those who perform this groundwork thoroughly create not only the basis for certification but also make better decisions when selecting and prioritizing security measures.