Notifications
Clear all
Topic starter
27/06/2026 1:02 pm
TL;DR: BSI’s Grundschutz++ reduces requirements by about 85%, remaps controls into technical, organisational, and ISMS practices, and moves from modules to direct target objects with a GitHub-based, machine-readable repository, according to Nexis. The shift matters because it changes how security teams model scope, map controls, and operationalise audit-ready governance across IT and beyond.
NHIMG editorial — based on content published by Nexis: GRC Grundschutz++ The Next Step by the BSI Towards a Modern ISMS
By the numbers:
- BSI's Grundschutz++ reduces requirements by around 85% through consolidation and clear must, should, can tiers.
- The new structure maps roughly 450 technical, 380 organisational, and 100 ISMS requirements.
Questions worth separating out
A: Organisations should rebuild control ownership around concrete objects such as systems, applications, users, and procurement processes.
Q: Why does machine-readable security guidance matter for governance teams?
A: Machine-readable guidance matters because it can be imported into governance tooling, version control, and evidence workflows without manual re-entry.
Q: What breaks when control frameworks are reduced too aggressively?
A: What breaks is often not the number of controls, but the clarity of scoping and ownership behind them.
Practitioner guidance
- Rebuild your control mapping around target objects Translate current module-based governance into asset, application, network, user, and procurement ownership so each requirement has a clear control owner and evidence path.
- Prepare for structured requirement ingestion Treat the GitHub repository as a signal to align governance tooling with machine-readable inputs, versioning, and traceable change management.
- Review where IAM and NHI controls sit inside ISMS scope Make sure service accounts, API keys, certificates, and privileged users are mapped to explicit governance objects rather than folded into generic infrastructure buckets.
What's in the full article
Nexis's full article covers the operational detail this post intentionally leaves for the source:
- The event context behind BSI's Grundschutz++ presentation and how the roadmap was framed
- The specific redistribution of requirements across technical, organisational, and ISMS categories
- The planned publication milestones and transition timeline for the new method
- The author's firsthand interpretation of whether the change solves long-standing Grundschutz problems
👉 Read Nexis's analysis of BSI Grundschutz++ and ISMS modernisation →
Grundschutz++ and modern ISMS design: what changes for teams?
Explore further
27/06/2026 2:11 pm
Grundschutz++ is a governance redesign, not a cosmetic simplification. The move from modules to target objects changes how control ownership, audit evidence, and implementation scope are expressed. That matters because identity and access controls can no longer hide inside broad categories when the framework expects direct mapping to concrete assets and users. Practitioners should read this as a demand for sharper governance boundaries, not just a cleaner document structure.
A few things that frame the scale:
- 89% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes still operate with incomplete non-human inventory.
A question worth separating out:
Q: How do IAM and NHI programmes fit into a modern ISMS model?
A: IAM and NHI programmes fit best when identities are treated as explicit control subjects with their own lifecycle, ownership, and evidence requirements. Service accounts, API keys, certificates, and privileged users should not disappear into general IT buckets. A modern ISMS should make those identity objects visible enough to govern and audit directly.
👉 Read our full editorial: Grundschutz++ signals a broader shift in modern ISMS design
