1.2 Types of Requirements

Owned by Matthias Rohr
Last updated: Apr 01, 2020
1 min read

In accordance with RFC2119, two types of requirements are specified in this standard:

  • Mandatory Requirements: Identified by terms like “MUST“, “MUST NOT”, or “HAVE TO”

  • Recommendations: Identified by a term like “SHOULD“ or “CAN”

In case a requirement has a recommendation like nature, it does not need to be implemented if justifiable reasons exist. Recommendations that are specified with “CAN” are focused on applications of increased protection requirements or risk profile.

Exceptions to not complying with mandatory requirements must be approved by the relevant IT security function.