02 / The challenge

Compliance eats the team that should be doing security.

Three bottlenecks show up in every ISMS team, every Grundschutz consultancy, and every regulated DACH company preparing for NIS2.

01 · The workload

Four to six weeks of senior time. Per project.

BSI IT-Grundschutz carries more than 1,000 requirements across 100+ Bausteine. NIS2 layers on sector-specific duties, DORA on financial firms, KRITIS on operators. The work scales linearly. Your headcount doesn't.

02 · The quality gap

Experts copy documents they already had, and sell it as unique work.

The market rewards throughput, so practices optimise for recycling old text. It works until an auditor notices. A Sicherheitskonzept that doesn't reflect your actual organisation is an audit-Rauchvorhang, not a security posture.

03 · The scale

The next framework arrives before the last one is finished.

NIS2, KRITIS-Dachgesetz, the BSI's Grundschutz++ reform. Each shifts scope, wording, and evidence requirements. OrbisGraph maps the changes as they happen and evolves your Sicherheitskonzepte alongside the industry.

03 / The platform

OrbisGraph. The compliance platform built on your knowledge graph.

OrbisGraph isn't a ticket tracker or a Word template. It's a knowledge graph that connects your assets, processes, Bausteine, requirements, measures, evidence, and people, with every relationship versioned and explainable.

The mapping

Quality-controlled extraction from your unstructured documentation.

OrbisGraph extracts your ISMS into the knowledge graph from your documentation. Every output measures its own accuracy, and extraction quality is independently validated by cybersecurity researchers at Freie Universität Berlin.

  • Baustein-Reife, Maßnahmen-Status, Nachweis-Deckung: all live
  • Every AI-inferred fact is kept separate from human text, with citation and reversal.
  • Export as Word, Excel, or PDF when the auditor asks
97.68%
entity extraction
83.46%
relationship mapping
Platform architecture
orbisgraph.de / graph
From unstructured documents to a knowledge graphThree source documents on the left with highlighted compliance phrases. Dotted mapping lines flow into a knowledge graph on the right: a central Sicherheitskonzept hub connected to Bausteine, Maßnahmen and a Nachweis evidence node.SOURCEKNOWLEDGE GRAPHSicherheitskonzept.docx§3.2 APP.1.1Risikoanalyse.pdfSchutzbedarf: hochNetzplan.xlsxVLAN NET.1.1Sicherheits-konzeptAPP.1.1CON.1NET.1.1ORP.1SYS.1.5M01M0298%83%BausteinMaßnahmeNachweisAI-inferred

05 / Future-proof

The BSI is moving IT-Grundschutz to a machine-readable format. Your Sicherheitskonzept should be ready for it.

Grundschutz++ replaces document-centric compliance with machine-readable, structured data. OrbisGraph is built for exactly this direction. Sicherheitskonzepte written today convert when the new format ships. Migration, not restart. The same graph-native structure makes ISO 27001 a serialisation exercise, not a rebuild.

Full Grundschutz++ briefing

06 / From the field

What early testers noticed first.

This is the first time I see somebody turning this honestly big piece of gold that's just so overwhelming that nobody can practically use it into something that actually does make sense.
MD · Cybersecurity ConsultancyFortune-500 Clients
A major unlock, freeing up capacity for the things people actually enjoy and where they're adding real value, versus just feeding some compliance machine.
MD · Cybersecurity ConsultancyDACH Enterprise Clients
Using the graph for establishing the ground truth, getting out of the tacit knowledge trap, and then scaling it. Once you have this, you can really increase speed. And you keep it consistent.
Defence IT Provider7,000+ Employees
If you're able to do that at that quality level, the extractions, and being able to say this is not just what you have but the preparation of what's missing, that has massive value.
CEO · DACH Cybersecurity Consultancy100+ Employees

Show us your use case. We'll show you the knowledge graph.

Schedule a call to explore how OrbisGraph can accelerate your compliance efforts.