As an auditing tool for authorities, Katakri can be used to assess the ability of an organisation to protect Classified Information. Katakri itself does not set mandatory requirements on information security. It brings together the minimum requirements which are based on national legislation and international information security obligations. In this context, the most important piece of national legislation is the Government Decree on Information Security in Central Government (681/2010), which will be referred to as the Decree on Information Security and which is followed to protect both national and international Classified Information. An important international source here is the Council Decision on the Security Rules for protecting EU Classified Information (2013/488/EU) which lays down the basic principles and minimum standards of security for protecting EU Classified Information (EUCI). To ensure transparency, a source reference is always given in connection with the requirements presented in Katakri.