From risk assessment to security measures
Security concepts provide the framework for assessing risks, defining security objectives and deriving appropriate security measures from them. They help organisations manage security not through isolated measures, but as a structured and transparent process. This principle is also reflected in the current BSI foundations: a security concept describes the measures by which the security objectives are pursued and requires a defined scope.
What defines a security concept
A security concept is based on a simple relationship:
- Risk assessment
- Definition of security objectives
- Security measures
The risks faced by an organisation are considered in the light of both its internal and external context. Security objectives are then derived from the analysis of threats and the security-relevant history. Only on this basis are appropriate security measures determined and implemented.
Why risk assessment comes first
Risk assessment is the foundation of every security concept. It is a key element of the concept and raises questions about the security situation, general threats, specific areas with protection requirements, as well as legal and contractual requirements. These include location- and country-specific risks, vandalism and sabotage, previous incidents, sector-specific threats, BCM requirements and insurance requirements.
BSI Standard 200-3 brings together the risk-related work steps of IT-Grundschutz, while ISO 31000 describes risk management as a structured approach to identifying, analysing, evaluating, treating, monitoring and communicating risks. Only when this foundation has been properly established can it be determined which security measures are genuinely necessary.
The role of the risk matrix
In risk assessment, a risk matrix helps to make risks visible and prioritise them. Risks are classified according to their potential impact and likelihood of occurrence. The matrix is an important element in defining security objectives. Later, it can be updated as part of the review of existing security measures.
Federal Office for Information Security (BSI) also describes the risk matrix as a common and highly effective tool for illustrating frequencies of occurrence, potential impact and risks. BSI further emphasises that the categories should be clearly defined and adapted to the specific circumstances of the organisation.
Definition of security objectives
Following the risk assessment, security objectives are defined in a binding manner for the relevant areas. They describe what needs to be protected, to what extent, and which level of protection is required.
- Define the level of protection
- Specify protection needs
- Classify critical areas and assets
The security measures are then derived from these security objectives. Organisational, technical and physical measures are therefore not defined in isolation, but developed on the basis of risk and protection needs.
- Derive measures systematically
- Provide a professional rationale for priorities
- Build a structured security concept
Which security measures are derived from a security concept
Appropriate security measures are derived on the basis of the risk assessment and the security objectives. We distinguish between four areas:
Personnel measures
These primarily concern security personnel with clearly defined roles and responsibilities. Personnel measures help to monitor security-relevant areas, detect incidents at an early stage, and respond in accordance with defined procedures in the event of an incident.
Organisational measures
Organisational measures establish rules, responsibilities and procedures within the organisation. These include, for example, emergency and incident response plans or security zone concepts, which define how security is to be implemented in day-to-day operations and in the event of an incident.
Technical measures
Technical measures help to identify risks, control access and ensure that incidents can be traced. These include, for example, intrusion alarm systems, hold-up alarm systems, video surveillance systems and access control systems, which are used for monitoring, alerting and access control.
Structural measures
Structural measures provide the physical basis for protection. These include, for example, doors, gates, walls, turnstiles and fences, which can be used to secure areas, restrict access and demarcate sensitive zones.
Why security concepts need to be implemented and reviewed regularly
A security concept only delivers its full value when the defined security measures are embedded in the organisation, understood by employees, and adapted where necessary. This includes communicating changes, raising awareness and providing training, as well as regularly reviewing whether the measures remain effective and still reflect the current threat landscape. New legal requirements, changing risks, changes to the business model, or new best practices may make adjustments necessary.
How 3-core supports organisations with security concepts
At 3-core, we support organisations not only in developing security concepts methodically, but also in implementing them in practice. From risk assessment and the definition of security objectives through to the derivation of appropriate security measures, we create a structure that works in day-to-day operations. Our Resilience Time Planner also makes it possible to present risk-based protection zone planning, including cost calculations, in a clear, structured and transparent way.
