NIS 2 – Overview

The NIS 2 module in GRASP helps you systematically implement the requirements of the NIS 2 Directive within your organisation.

Like the ISO 27001, IT-Grundschutz and BCM modules, it uses the shared data foundation:

• Organisation (people, teams, roles)
• Inventory (assets, processes, service providers, dependencies)
• Policies & guidelines as well as documents
• Findings & actions

This means you only need to maintain master data once and can reuse it across all modules.

Prerequisite

Before working with NIS 2, the key people, processes, assets and service providers as well as their dependencies should already be maintained – ideally carried over from ISO 27001 or IT-Grundschutz.

---

Structure of the NIS 2 Module

The NIS 2 module deliberately follows the same structure as IT-Grundschutz: IT-Grundschutz – Overview.

1. Scope
2. Risk Management
3. Audit Management

In addition, you benefit from the global:

• Actions and findings management
• Task and calendar area for deadlines and reminders

---

Scope

In the Scope section you define which parts of your organisation are considered for NIS 2:

• Business processes (e.g. critical services)
• Infrastructure, hardware, software
• Service providers
• Data / information domains
• Relevant personnel where applicable

You link these objects to a NIS 2 scope. Only items within the scope will appear later in NIS 2 risk management and audit management.
Details can be found on the NIS 2 – Scope page.

---

Risk Management in NIS 2

NIS 2 risk management uses the same risk engine as ISO 27001, IT-Grundschutz and BCM. NIS 2 – Risk Management

Typical workflow:

1. Configuration (assign risks)

   • Assignment of risks to categories (data, service providers, hardware, infrastructure, personnel, processes, software).
   • Use of a shared or NIS-2-specific risk catalogue.

2. Risk Analysis (assessment)

   • Assessment of likelihood and impact per resource within the NIS 2 scope.
   • Determination of initial risk and acceptance level following BSI methodology.

3. Treatment Plan & Actions

   • Selection of the treatment option (avoid, reduce, transfer, accept).
   • Creation and linking of actions with responsible persons, approvers and deadlines.

4. Residual Risk & Closure

   • Assessment of residual risk after implementation or planning of actions.
   • Closure and – if needed – subsequent update of the assessment.

5. Risk Matrix & Overview

   • Graphical representation of all NIS 2 risks by likelihood and impact.
   • Filtering by scope, resource type and status.

The corresponding detail pages can be found in the navigation under NIS 2 → Risk Management.

---

Audit Management for NIS 2

With Audit Management you plan and document NIS 2 audits (e.g. internal reviews or preparations for external audits). NIS 2 – Audit Management

Typical steps:

1. Planning in the Audit Calendar

   • Creating audits with time period, scope, objective and approving person.
   • Linking audit items and audit subjects (processes, assets, documents).

2. Execution

   • Assessment of audit items with degree of fulfilment and implementation description.
   • Documentation of observations and deviations.

3. Approval & Evaluation

   • Approval by the designated approver.
   • Creation of findings and actions per audit item.
   • Evaluation by scope, criticality, status and due dates.

All findings and actions from NIS 2 audits are stored in the global Findings & Actions area and can be managed there together with results from other modules.

---

Interaction with Other Modules

NIS 2 is not an isolated module but builds on the same structures as:

• ISO 27001 (Information Security Management System)
• IT-Grundschutz (BSI methodology)
• BCM (Business Continuity)

Examples:

• A scope can be used simultaneously for IT-Grundschutz and NIS 2 by selecting multiple modules in the subject-matter relevance settings.
• Risks and actions can be used across modules.
• Documents, policies and plans only need to be stored once and can be referenced in NIS 2.

This reduces duplication of effort and allows you to consistently demonstrate compliance with requirements from different standards and regulations using the same data foundation.