Skip to content

GRASP – Start Guide🔗

This start guide takes you in a few steps from your first login to working in your first module (e.g. ISMS per ISO 27001 or BCM).

1. Login & Understanding Your Role🔗

  1. Log in to your company's GRASP instance\ (typically via Single Sign-On or credentials from your identity provider).
  2. Depending on your role, you will see different modules and views.

If you are unsure whether your role is set correctly, contact your internal GRASP administration.

2. Review Organization & Inventory🔗

Before you dive into a module, it is worth checking the shared areas:

  • Organization

  • Are the relevant people, teams, and roles in place?

  • Are there designated owners for information security, BCM, data protection, and IT operations?

  • Asset Inventory

  • Are the key processes set up?

  • Are essential systems/assets (hardware, software, infrastructure, service providers, data) present?
  • Are dependencies between processes and assets maintained?

Use CSV Import

People, processes, and assets are often initially loaded via CSV import.\ You can add or adjust entries at any time directly in the user interface.

3. Define the Scope🔗

Next, you define which part of the organization you want to cover within a module.

Examples:

  • ISO 27001 only for the central IT platform
  • BCM only for critical business processes
  • IT-Grundschutz for a specific data center

Steps:

  1. Open the desired module (e.g. ISMS per ISO 27001).
  2. Navigate to the Scope tile.
  3. Create a new scope (name + description).
  4. Link the relevant processes, infrastructure, hardware, software, service providers, data, and personnel to this scope.

The scope later serves as the basis for:

  • SOA,
  • protection requirements assessment,
  • risk analyses,
  • audits.

4. Choose a Module and Get Started🔗

ISMS ISO 27001🔗

Recommended sequence:

  1. Work through the implementation guide and use it as a checklist.

  2. Complete the SOA:

  3. select applicable controls,

  4. document justifications,
  5. link measures and documents.
  6. Determine protection requirements for processes/assets and apply inheritance.

  7. Carry out risk management:

  8. configure risks,

  9. create risk analyses,
  10. plan measures.
  11. Prepare and conduct audits.

BCM🔗

Recommended sequence:

  1. Perform BIA pre-filtering and BIA configuration.
  2. BIA assessment for critical processes.
  3. Target/actual comparison to evaluate implementation status.
  4. Strategies & solutions, followed by planning exercises & tests.

IT-Grundschutz🔗

Recommended sequence:

  1. Define the information domain and scope.
  2. Carry out modeling with security building blocks.
  3. Work through requirements in the check.
  4. Perform protection requirements assessment & inheritance.
  5. Optional: risk management and audits as in the ISMS.

5. Keep Track of Measures and Findings🔗

Regardless of which module you start with:

  • Measures and findings are collected in the central\ "Findings & Measures" area.

  • There you can:

  • filter by owner, status, due date, or module,

  • generate a personal to-do list,
  • see where action is needed (e.g. overdue measures).

With the optional task/calendar area, you can also manage operational tasks such as audit preparation or emergency exercises.

6. Next Steps🔗

Once the basics are in place, you can:

  • work through the module relevant to you chapter by chapter,
  • optionally start an internal pilot project with a clearly limited scope,
  • consider whether external consulting (e.g. ISB/BCM advisory) would be beneficial.

Recommendation

Start with a small, clearly defined scope that you can take through the entire process.\ This will help you learn how GRASP works, and you can gradually add more areas later.