In this article, we present a best practise approach for the evaluation and assessment of IT security demands for railway applications. State-of-the-art standards and guidelines are used to identify and evaluate threats concerning the IT security of a given railway system and corresponding requirements are derived. Taking threat mitigation measures into account, the system under consideration is revised based on its technology and system architecture. Using combined " Top-Down " and " Bottom-Up " analysis techniques, the most relevant attack patterns and penetration paths are identified for each system component or function. The result of such an analysis may require iterative revisions and eventually extends IT security requirements as compared to the derivation from standards.