Elementary Threat · BSI IT-Grundschutz

G 0.18 — Poor Planning or Lack of Adaptation

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.1A.5.2A.5.3A.5.4A.5.5A.5.6A.5.7A.5.8A.5.9A.5.10A.5.11A.5.12A.5.13A.5.14A.5.15A.5.16A.5.17A.5.18A.5.19A.5.20A.5.21A.5.22A.5.23A.5.24A.5.25A.5.26A.5.27A.5.28A.5.29A.5.30A.5.31A.5.32A.5.33A.5.34A.5.35A.5.36A.5.37A.6.1A.6.2A.6.3A.6.4A.6.5A.6.6A.6.7A.6.8A.7.1A.7.2A.7.3A.7.4A.7.5A.7.6A.7.7A.7.9A.7.10A.7.11A.7.12A.7.13A.7.14A.8.1A.8.2A.8.3A.8.4A.8.5A.8.6A.8.7A.8.8A.8.9A.8.10A.8.11A.8.13A.8.14A.8.15A.8.16A.8.17A.8.18A.8.19A.8.20A.8.21A.8.22A.8.23A.8.24A.8.25A.8.26A.8.27A.8.28A.8.29A.8.30A.8.31A.8.32A.8.34 BSI IT-GrundschutzISO 27001ISO 27002

A company switches its email server but fails to update the firewall rules. The old rules reference IP addresses that now belong to a different application. For three months, internal mail traffic is reachable over the internet unencrypted — and nobody notices, because responsibility for firewall changes is not documented anywhere.

Poor planning and lack of adaptation are among the most insidious threats because they require no direct attack. The BSI lists them as elementary threat G 0.18. The damage arises gradually — through organisational gaps, outdated configurations and unclear responsibilities.

What’s behind it?

Organisational procedures, technical architectures and security measures must fit the actual operating environment. When the environment changes — new systems, new employees, new business processes, new threats — and security measures do not follow, gaps appear. These gaps are often invisible because every individual process step functions correctly — only the interplay no longer holds together.

Typical planning errors

Unclear responsibilities — tasks are not assigned to any specific person or role. Patches remain unapplied because nobody feels responsible. Security incidents are not reported because the reporting process is unclear.
Outdated architectures — network segmentation stems from a time when the company was half its current size. New cloud services are connected without adapting the firewall rules. Legacy systems for which no updates are available continue to run on the production network.
Security requirements missing in procurement — hardware and software are selected by functionality and price without considering security criteria. The result: retrofitted (expensive) protection or — more often — permanent weaknesses.
Dependencies overlooked during planning — a maintenance window for the network interrupts a business process nobody identified as network-dependent. A supplier files for insolvency and the supply of spare parts for critical systems collapses.

Impact

Poor planning affects all three protection goals. Outdated configurations open attack paths (confidentiality, integrity); lack of redundancy and non-adapted maintenance processes threaten availability. The insidious part: the damage often appears with a delay, weeks or months after the actual planning gap — and is then attributed to a different cause.

Practical examples

Maintenance contract without security requirements. A company signs a maintenance contract for its production control system. The contract regulates response times and spare parts but contains no security requirements. The service provider uses an unencrypted protocol and a default password for remote maintenance. An attacker exploits exactly this access to enter the production environment.

Structural change without updating evacuation plans. During a renovation, walls are moved and entrances changed. The evacuation route plans are not updated. During an evacuation, employees follow the outdated plans and end up in dead ends — the evacuation time doubles.

Cloud migration without firewall adjustment. A company migrates its customer database to the cloud but fails to update the network policies. The database port remains open for the old internal network segment — and is now reachable from the public internet too. An external penetration test uncovers the misconfiguration.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 90 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.5.8 — Information security in project management: Security requirements are integrated into projects from the start.
A.5.37 — Documented operating procedures: Current, documented procedures prevent knowledge from living only in people’s heads.
A.8.8 — Management of technical vulnerabilities: Systematic patching continuously adapts the technical protection.
A.5.2 — Information security roles and responsibilities: Unambiguous assignment of responsibilities prevents accountability gaps.
A.8.9 — Configuration management: Systematic management of configurations detects deviations early.

Detection:

A.5.35 — Independent review of information security: Regular audits uncover planning deficits.
A.5.36 — Compliance with policies, rules and standards for information security: Compliance checks identify deviations from the target state.

Response:

A.5.26 — Response to information security incidents: When planning deficits lead to incidents, prepared response processes take effect.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.18 to practically every module — evidence of how fundamental this threat is. Particularly relevant:

ISMS.1 (Security management) — the central module: requirements for planning, implementation and continuous improvement of the ISMS.
OPS.1.1.1 (General IT operations) — organisational and technical requirements for ongoing operations.
OPS.1.2.2 (Archiving) — long-term planning requirements for the retention of information.
DER.3.1 (Audits and revisions) — systematic review of security measures for currency and effectiveness.

Sources

BSI IT-Grundschutz: Elementary Threats, G 0.18 — original description of the elementary threat
ISO/IEC 27001:2022 Section 8.1 — requirements for operational planning and control
ISO/IEC 27002:2022 Section 5.8 — implementation guidance on information security in project management

ISO 27001 Controls Covering This Threat

A.5.1 Policies for information security A.5.2 Information security roles and responsibilities A.5.3 Segregation of duties A.5.4 Management responsibilities A.5.5 Contact with authorities A.5.6 Contact with special interest groups A.5.7 Threat intelligence A.5.8 Information security in project management A.5.9 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.5.12 Classification of information A.5.13 Labelling of information A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier services A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.5.31 Legal, statutory, regulatory and contractual requirements A.5.32 Intellectual property rights A.5.33 Protection of records A.5.34 Privacy and protection of PII A.5.35 Independent review of information security A.5.36 Compliance with policies, rules and standards for information security A.5.37 Documented operating procedures A.6.1 Screening A.6.2 Terms and conditions of employment A.6.3 Information security awareness, education and training A.6.4 Disciplinary process A.6.5 Responsibilities after termination or change of employment A.6.6 Confidentiality or non-disclosure agreements A.6.7 Remote working A.6.8 Information security event reporting A.7.1 Physical security perimeters A.7.2 Physical entry A.7.3 Securing offices, rooms and facilities A.7.4 Physical security monitoring A.7.5 Protecting against physical and environmental threats A.7.6 Working in secure areas A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.10 Storage media A.7.11 Supporting utilities A.7.12 Cabling security A.7.13 Equipment maintenance A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.6 Capacity management A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.9 Configuration management A.8.10 Information deletion A.8.11 Data masking A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.18 Use of privileged utility programs A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering A.8.24 Use of cryptography A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.30 Outsourced development A.8.31 Separation of development, test and production environments A.8.32 Change management A.8.34 Protection of information systems during audit testing

Frequently asked questions

What does poor planning have to do with information security?

Poor planning creates structural weaknesses: unclear responsibilities, unsuitable architectures, lack of adaptation to change. These weaknesses are exploited by other threats. Poor planning is therefore a kind of meta-threat that increases the impact of many other threats.

Why does G 0.18 have so many mapped controls?

Because poor planning affects every layer of information security — from strategic direction through technical architecture to operational run. Practically every ISO 27001 control works directly or indirectly against planning deficits.

How do I identify poor planning before damage occurs?

Regular reviews (internal audits, management reviews, risk assessments) and a functioning change management process are the most effective instruments. If security measures have remained unchanged for years while the IT landscape has changed fundamentally, a planning deficit is highly likely.