Skip to content

GRASP – Platform Overview🔗

This page describes the GRASP platform from the perspective of users and administrators, not at the infrastructure level.
The focus is on:

  • the shared data foundation,
  • the module structure,
  • scopes,
  • roles & permissions,
  • notifications and workflows.

Shared Data Foundation🔗

GRASP operates on a central data foundation shared by all modules:

  • Organization

    • People, teams, roles
    • Assignment to measures, documents, risks, audits, etc.

  • Asset Inventory

    • Assets (hardware, software, infrastructure, service providers, data)
    • Business processes
    • Dependencies between processes and assets

  • Documents & Policies

    • Policies, guidelines, NDAs, manuals, operating agreements, etc.
    • Versions, review dates, responsible persons

  • Findings & Measures

    • Central collection point across all modules

The advantage: you maintain this data only once and reuse it across ISMS, IT-Grundschutz, BCM, NIS 2, and additional modules.

Modules & Scopes🔗

Modules🔗

The platform consists of several domain-specific modules:

  • ISMS ISO 27001
  • IT-Grundschutz
  • BCM
  • NIS 2
  • Data Protection Management

Each module has its own views (e.g. SOA, BIA, modeling), but uses the same foundational data.

Scopes🔗

Using scopes, you define which segment of the organization should be covered in a module:

  • a scope can be used across multiple modules simultaneously (e.g. "Security 2025" in ISMS, IT-Grundschutz, and BCM),
  • for each scope you define:
    • associated processes,
    • assets, service providers, data,
    • optionally, personnel.

Scopes serve as the linking layer between shared master data and individual modules.

Notifications & Workflows🔗

In many areas, GRASP supports you with email notifications and simple workflows:

  • due or overdue measures
  • upcoming document reviews
  • steps in protection requirements assessments (creation → review → approval)
  • activities related to audits

Typical pattern:

  1. A responsible person is assigned.
  2. A deadline or review date is defined.
  3. GRASP automatically sends email reminders:
    • when due,
    • when overdue (including notification to approvers).

This turns "documented compliance" into a living process.

Imports & Integration🔗

For initial setup, we support:

  • CSV imports for people, processes, and assets,
  • incremental expansion and maintenance directly in the user interface.

This allows you to transfer existing inventories into GRASP relatively quickly without having to create everything manually.

Specific integrations (e.g. with identity providers or third-party systems) depend on your particular installation and are typically described on a project-specific basis.

Modules Working Together🔗

A typical scenario:

  1. You build your organization and asset inventory.
  2. You define a scope (e.g. "Security 2025").
  3. You start with ISMS ISO 27001:
    • SOA, protection requirements, risk analysis.
  4. In parallel, you use the same scope in BCM:
    • BIA, strategies, exercises.
  5. In IT-Grundschutz, you also use the same processes and assets:
    • information domain, building block modeling, requirements.

Through shared measures, findings, and risks, you maintain an overview across all compliance activities.