The starting point for improvements is always knowledge of the current situation. In order to gain this knowledge, information security standards provide for various analyzes.

The structural analysis documents information security within the given scope - for example the relationships between business processes, applications, hardware and software assets, rooms and people. The protection requirements analysis defines the desired level with regard to the security goals for various elements of the structural analysis.

The risk analysis relates the identified risks to the measures to counter these risks and documents the remaining risks.