Elementary Threat · BSI IT-Grundschutz

G 0.37 — Repudiation of Actions

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.3A.5.15A.5.16A.5.17A.5.18A.5.24A.5.25A.5.28A.5.29A.5.37A.6.2A.6.4A.6.6A.6.7A.7.1A.7.4A.7.7A.7.9A.7.11A.7.12A.8.1A.8.2A.8.3A.8.4A.8.5A.8.7A.8.9A.8.14A.8.15A.8.16A.8.17A.8.18A.8.20A.8.21A.8.22A.8.23A.8.31 BSI IT-GrundschutzISO 27001ISO 27002

An urgently needed spare part is ordered electronically. After a week, purchasing complains that the delivery never arrived — meanwhile the production stoppage has caused significant costs. The supplier denies ever having received an order. Without a delivery receipt or digital signature, it is one word against another.

Repudiation of actions (G 0.37) concerns a protection goal that often takes a back seat to confidentiality, integrity and availability: accountability. In English-speaking contexts this principle is called non-repudiation — the inability to deny actions.

What’s behind it?

People may deny having carried out certain actions for different reasons — because the actions violate instructions, to cover up mistakes, or because contractual obligations are deliberately disputed. Without technical and organisational mechanisms to ensure non-repudiation, there is no robust evidence.

Forms of repudiation

Repudiation of origin — A person denies having sent an order, instruction or approval.
Repudiation of receipt — A person claims never to have received an invoice, reminder or notification.
Repudiation of a system action — A person denies having executed a specific transaction, modified a document or changed a configuration.

Impact

The consequences mainly affect commercial and legal relationships. If an order cannot be proven, suppliers may refuse or delay deliveries. If an approval cannot be documented, the approval process stalls. In financial transactions, repudiation can lead to monetary losses. In legal disputes the outcome often depends on whether an action can be verifiably assigned to a specific person.

Practical examples

Order without delivery confirmation. A company orders a component electronically from a supplier. The order is sent by email without a digital signature and without a delivery receipt. When the delivery fails to arrive, the supplier denies receiving the order. The production stoppage causes costs for which neither side has contractual protection.

Cancelled approval in a procurement workflow. In a procurement system, a department head approves an investment. When the costs exceed the planned amount, he claims never to have granted the approval. Because the system records only a simple user login as evidence rather than a digital signature, the action cannot be unambiguously assigned to him — the login could have been performed by a colleague who knew the password.

Manipulated audit trail. A system administrator makes an unauthorised configuration change and then deletes the corresponding entries from the local log. Because the logs are stored only locally and the administrator has write permissions to the log files, his action cannot be proven.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 37 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.8.15 — Logging: Centralised, tamper-resistant logging of all security-relevant actions.
A.5.37 — Documented operating procedures: Clear processes for approvals, authorisations and transactions with a traceable audit trail.
A.8.17 — Clock synchronisation: Synchronised timestamps enable unambiguous temporal assignment of actions.
A.5.3 — Segregation of duties: Separating functions prevents one person from both performing actions and manipulating their logging.

Detection:

A.8.16 — Monitoring activities: Monitoring detects deletion or manipulation of log data.
A.7.4 — Physical security monitoring: Video surveillance as supplementary evidence for physical actions.

Response:

A.5.24 — Information security incident management planning and preparation: Forensic preservation of evidence when actions are suspected of being repudiated.
A.6.4 — Disciplinary process: Consequences when repudiation of security-relevant actions is proven.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.37 with the following modules:

OPS.1.1.5 (Logging) — requirements for complete, tamper-resistant logging.
OPS.1.1.2 (Proper IT administration) — traceability of administrative actions.
DER.1 (Detecting security-relevant events) — detection of attempts to manipulate log data.
ORP.4 (Identity and access management) — personalised accounts as the basis for assigning actions.

Sources

BSI: The State of IT Security in Germany — annual report referencing evidence obligations and logging
BSI IT-Grundschutz: Elementary Threats, G 0.37 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.15 — implementation guidance on logging

ISO 27001 Controls Covering This Threat

A.5.3 Segregation of duties A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.37 Documented operating procedures A.6.2 Terms and conditions of employment A.6.4 Disciplinary process A.6.6 Confidentiality or non-disclosure agreements A.6.7 Remote working A.7.1 Physical security perimeters A.7.4 Physical security monitoring A.7.7 Clear desk and clear screen A.7.9 Security of assets off-premises A.7.11 Supporting utilities A.7.12 Cabling security A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.7 Protection against malware A.8.9 Configuration management A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities A.8.17 Clock synchronisation A.8.18 Use of privileged utility programs A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.23 Web filtering A.8.31 Separation of development, test and production environments

Frequently asked questions

What does non-repudiation mean?

Non-repudiation means that a person cannot later deny having performed an action. In information security it covers proof of who carried out which action and when -- initiating a transaction, sending a message or modifying a document. Technical means include logging, digital signatures and timestamps.

Why is accountability a protection goal?

The three classical protection goals (confidentiality, integrity, availability) do not cover every security need. Accountability ensures that actions can be verifiably assigned to a specific person. In business relationships, financial transactions and legal contexts this traceability is essential.

Is a timestamp in an email header sufficient as evidence?

Email headers can be trivially forged and are unsuitable as sole evidence. For legally robust proof you need cryptographic methods: qualified electronic signatures (under eIDAS), qualified timestamps or audit-proof archiving with integrity protection.