The protection requirement indicates how strongly an information asset or IT system must be protected with respect to confidentiality, integrity, and availability. Classification typically uses three levels: normal, high, and very high. The protection requirement is derived from the damage analysis: the more severe the consequences of a security incident, the higher the protection requirement. You use it as the basis for selecting appropriate security measures. In BSI IT-Grundschutz, protection-requirement assessment is a formal step; in an ISO 27001 context it feeds into the risk assessment.