The central concern in dealing with risks must be to maintain the security of supply of the company or to comply with the Service Level Agreements (SLA) concluded with customers. As part of risk management, therefore, the protection objectives of availability, confidentiality, integrity and authenticity must be assessed in terms of the extent to which the essential service is maintained -- a purely business management approach is usually not sufficient. The consequences of impairing the functionality of an operated critical infrastructure can be used as an indication of the extent of a risk to society.
Risks within the scope of Section 8a (1) BSIG may not be accepted if security precautions pursuant to Section 8a (1) BSIG are possible and appropriate. Even if risks cannot be completely eliminated, the risks must be adequately reduced as far as possible before acceptance is permitted.
Furthermore, an insurance of the risks does not replace the required security precautions. Appropriate safeguards pursuant to Section 8a (1) BSIG remain necessary. Even if risks cannot be completely eliminated, the risks must be adequately reduced as far as possible before an insurance on the risk treatment is permitted. Concluding additional insurance policies is unaffected.
In addition, there must be compliance with the requirements of C5 regarding the implementation of the measures. If further measures are to be adopted over and above the requirements of C5 with regard to the appropriate protection in accordance with Section 8a (1) BSIG for risk treatment, these must be implemented for the documentation of compliance in accordance with Section 8a (3) BSIG or be in an expected stage of progress at the time of documentation. These measures and deficiencies must be included in the list of security deficiencies.