Contents
Elementary Threats of the BSI IT-Grundschutz Compendium
The Elementary Threats of the BSI IT-Grundschutz Compendium form the foundation of every IT-Grundschutz-compliant risk analysis. Defined in BSI Standard 200-3, these 47 threats condense the broad landscape of potential risks into a compact, product-neutral and methodologically coherent catalogue. For organisations implementing IT-Grundschutz or aiming for ISO 27001 certification on the basis of IT-Grundschutz, these threats are an indispensable starting point for developing a robust and reproducible security concept.
What Are Elementary Threats?
Elementary threats are generalised, real-world events that can directly impair the confidentiality, integrity or availability of information. They originate from the detailed threat descriptions in the IT-Grundschutz Modules but are distilled into a standardised list optimised for risk analysis.
The BSI’s objectives when designing this catalogue were clear:
- Optimised for risk analysis
The threats are defined at a level of abstraction that allows fast and consistent assessment across different systems. - Product-neutral and (as far as possible) technology-neutral
Threats are not tied to specific manufacturers or technologies, ensuring broad applicability. - Compatible with international standards
The structure aligns with ISO/IEC 27005, ISO 31000, NIST 800-30 and similar frameworks. - Fully integrated into IT-Grundschutz
Elementary threats are used throughout the IT-Grundschutz methodology—from modelling to safeguard selection and risk evaluation.
Direct Impact on the CIA Triad
A key feature of the BSI’s approach is the direct assignment of each threat to the core security values:
- C – Confidentiality
- I – Integrity
- A – Availability
Only direct impacts are considered—not indirect or secondary effects.
For example:
- G 0.1 Fire is mapped to Availability because a fire directly disrupts operations.
While confidentiality or integrity may be affected indirectly (e.g., damaged or exposed media), these consequences are not part of the primary mapping.
This clarity enables precise determination of which threats are relevant for assets with high or very high protection requirements.
Why Elementary Threats Matter in Practice
The Elementary Threat catalogue is used to:
- Identify relevant risks for each asset during the threat overview phase.
- Support structured risk assessment using frequency–impact matrices.
- Ensure consistent threat modelling across different systems and organisational units.
- Create a unified basis for security concepts, audits and ISO 27001 certificates based on IT-Grundschutz.
By excluding threats that merely describe missing controls (e.g., “no patching” or “insufficient encryption”), the BSI ensures the catalogue focuses on actual events, not design weaknesses.
Examples of Elementary Threats
The full catalogue includes threats originating from environmental, technical, organisational, human and deliberate sources, such as:
- Fire, water, natural disasters
- Power outages, communication failures
- Software vulnerabilities, device malfunctions
- Espionage, social engineering, malware
- Misuse of authorisations, identity theft
- Loss of data or destruction of media
Each threat is tagged with its corresponding CIA impact, creating a consistent analytical baseline.
A Foundation for Digital Operational Resilience
For organisations pursuing digital operational resilience, compliance with IT-Grundschutz, or alignment with the broader European regulatory landscape (including DORA), the Elementary Threats serve as a highly structured and recognised starting point. They ensure that risk assessments are systematic, comparable and aligned with best-practice information security standards.
| Threat | Core value | |
|---|---|---|
| G 0.1 | Fire | A |
| G 0.2 | Unfavourable environmental conditions | I,A |
| G 0.3 | Water | I,A |
| G 0.4 | Soiling, dust, corrosion | I,A |
| G 0.5 | Natural catastrophes | A |
| G 0.6 | Catastrophes in the environment | A |
| G 0.7 | Major events in the environment | C,I,A |
| G 0.8 | Disruption or malfunction of power supply | I,A |
| G 0.9 | Failure or malfunction of communication networks | I,A |
| G 0.10 | Failure or malfunction of supply networks | A |
| G 0.11 | Failure or malfunction of service providers | C,I,A |
| G 0.12 | Electromagnetic interference | I,A |
| G 0.13 | Interception of compromising radiation | C |
| G 0.14 | Espionage | C |
| G 0.15 | Line tapping | C |
| G 0.16 | Theft of devices, data media and documents | C,A |
| G 0.17 | Loss of devices, data media and documents | C,A |
| G 0.18 | Poor planning or lack of adjustment | C,I,A |
| G 0.19 | Disclosure of information that should be protected | C |
| G 0.20 | Information from unreliable sources | C,I,A |
| G 0.21 | Manipulation of hardware or software | C,I,A |
| G 0.22 | Manipulation of information | I |
| G 0.23 | Unauthorised entry into IT systems | C,I |
| G 0.24 | Destruction of devices or data media | A |
| G 0.25 | Failure of devices or systems | A |
| G 0.26 | Malfunctions of devices or systems | C,I,A |
| G 0.27 | Lack of resources | A |
| G 0.28 | Software vulnerabilities or errors | C,I,A |
| G 0.29 | Violation of laws or contracts | C,I,A |
| G 0.30 | Unauthorised use or administration of devices and systems | C,I,A |
| G 0.31 | Incorrect use or administration of devices and systems | C,I,A |
| G 0.32 | Misuse of authorisations | C,I,A |
| G 0.33 | Loss of personnel | A |
| G 0.34 | Attack | C,I,A |
| G 0.35 | Coercion, extortion or corruption | C,I,A |
| G 0.36 | Identity theft | C,I,A |
| G 0.37 | Repudiation of acts | C,I |
| G 0.38 | Misuse of personal data | C |
| G 0.39 | Malware | C,I,A |
| G 0.40 | Denial of services | A |
| G 0.41 | Sabotage | A |
| G 0.42 | Social engineering | C,I |
| G 0.43 | Importing messages | C,I |
| G 0.44 | Unauthorised entry into rooms | C,I,A |
| G 0.45 | Loss of data | A |
| G 0.46 | Loss of integrity of information that should be protected | I |
| G 0.47 | Harmful side effects | C, I, A |
Sources: