Elementary Threat · BSI IT-Grundschutz

G 0.45 — Data Loss

Updated on 17 April 2026 4 min Reviewed by: Cenedril Editorial

A.5.10A.5.11A.5.14A.5.15A.5.23A.5.24A.5.25A.5.26A.5.27A.5.28A.5.29A.5.37A.6.2A.6.6A.6.8A.7.9A.7.10A.7.14A.8.1A.8.2A.8.3A.8.4A.8.5A.8.7A.8.9A.8.10A.8.13A.8.14A.8.15A.8.18A.8.19A.8.20A.8.21A.8.22A.8.24A.8.25A.8.26A.8.27A.8.28A.8.29A.8.30A.8.31 BSI IT-GrundschutzISO 27001ISO 27002

A company synchronises the data of its mobile employees with the central file server every evening. During a synchronisation failure, over 14,000 files are overwritten with empty placeholders overnight. The next morning the IT department notices the error — but the last verified backup is three weeks old. The daily backup in between had silently stopped working since an update. No one had been checking the backup logs.

Data loss ranks among the elementary threats with the broadest range of causes. The BSI lists it as G 0.45. Whether hardware defect, operator error, malware or theft — the outcome is the same: a dataset needed for the business is wholly or partly unavailable.

What’s behind it?

Data loss means an event in which a dataset can no longer be used as required. The causes fall into four categories:

Causes of loss

Hard drives, SSDs and other storage media have a limited service life. Without suitable redundancy measures (RAID, replication) a single defect is enough to destroy critical datasets. Power outages during write operations, faulty firmware updates and defective controllers can also cause data loss.

Accidental deletion is the most common form of data loss. A wrong command, an unintended format or a faulty script run can destroy in seconds datasets that took years to build. Particularly risky: synchronisation processes between mobile and stationary systems in which older data overwrites newer data.

Ransomware deliberately encrypts datasets and renders them unusable without the decryption key. Wiper malware deletes data irretrievably. Some malware activates the delete function only after a delay (e.g. on a specific date), so that the moment of infection and the moment of data loss lie far apart.

Mobile endpoints (laptops, tablets, smartphones) are lost, stolen or physically damaged. The data stored on them is often not up to date when the device was offline between synchronisations.

Practical examples

Ransomware with delayed activation. A company is infected with ransomware that initially lies dormant and writes itself into all backup drives in the background. Only after six weeks does the encryption activate. All backups from the last six weeks already contain the malware — a clean recovery is only possible using the oldest offline backup, which represents a significant data loss.

Synchronisation error on mobile devices. A sales representative works offline with his tablet on a customer presentation for three days. On returning to the office, automatic synchronisation overwrites his local changes with the older server version — three days of work are gone. The synchronisation solution had no conflict detection.

Forgotten password for cloud storage. A sole proprietor stores all business documents in a cloud service. After a device change he has neither the password nor the second factor at hand. Password recovery fails because the linked email address has since been deactivated. All documents are permanently inaccessible.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 42 mapped controls below in the section “ISO 27001 Controls Covering This Threat”.)

Prevention:

A.8.13 — Information backup: Regular, tested backups following a defined backup concept.
A.8.10 — Information deletion: Controlled deletion processes prevent accidental deletion of active datasets.
A.8.14 — Redundancy of information processing facilities: Redundant systems bridge the failure of individual components.
A.7.14 — Secure disposal or re-use of equipment: Controlled processes prevent needed data from being lost during disposal.
A.8.7 — Protection against malware: Malware protection blocks data-destroying malicious programs.

Detection:

A.8.15 — Logging: Logging of deletion and modification events enables traceability of lost data.
A.8.9 — Configuration management: Documented configurations make faulty changes traceable.

Response:

A.5.29 — Information security during disruption: Business continuity plans define RPO and RTO for different datasets.
A.5.26 — Response to information security incidents: Immediate measures on detected data loss (isolation, forensics, recovery).
A.5.27 — Learning from information security incidents: Lessons-learned process after every data-loss incident.

BSI IT-Grundschutz

The BSI IT-Grundschutz catalogue links G 0.45 with the following modules:

CON.3 (Data backup concept) — the central module: backup strategy, media rotation, recovery tests.
SYS.1.1 (General server) — hardening and redundancy of server systems.
SYS.3.1 (Laptops) — protection and encryption of mobile endpoints.
OPS.1.2.2 (Archiving) — long-term retention and integrity protection of archived data.

Sources

BSI: The State of IT Security in Germany — annual report with current incident statistics
BSI IT-Grundschutz: Elementary Threats, G 0.45 — original description of the elementary threat
ISO/IEC 27002:2022 Section 8.13 — implementation guidance on information backup

ISO 27001 Controls Covering This Threat

A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.5.14 Information transfer A.5.15 Access control A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.5.29 Information security during disruption A.5.37 Documented operating procedures A.6.2 Terms and conditions of employment A.6.6 Confidentiality or non-disclosure agreements A.6.8 Information security event reporting A.7.9 Security of assets off-premises A.7.10 Storage media A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.7 Protection against malware A.8.9 Configuration management A.8.10 Information deletion A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.18 Use of privileged utility programs A.8.19 Installation of software on operational systems A.8.20 Networks security A.8.21 Security of network services A.8.22 Segregation of networks A.8.24 Use of cryptography A.8.25 Secure development life cycle A.8.26 Application security requirements A.8.27 Secure system architecture and engineering principles A.8.28 Secure coding A.8.29 Security testing in development and acceptance A.8.30 Outsourced development A.8.31 Separation of development, test and production environments

Frequently asked questions

Which causes of data loss are the most common?

Hardware defects (especially disk failures), human error (accidental deletion, faulty synchronisation) and malware (ransomware, wipers) are the three most common causes. Less frequent, but with greater impact: theft of devices and targeted sabotage.

How often should backups be created and tested?

Backup frequency depends on how much data loss the organisation can tolerate (Recovery Point Objective, RPO). Critical systems require at least daily, often hourly, backups. Equally decisive: regular restore tests (at least quarterly) to confirm that the backups actually work.

Do cloud services automatically protect against data loss?

Cloud providers generally operate redundant storage systems, which protects against hardware failures. The cloud infrastructure alone does not protect against accidental deletion, ransomware or loss of access (e.g. forgotten password, account suspension). Own backup strategies and access safeguards remain necessary.