ISO 27001 consulting in Dresden

Smooth and quick ISO 27001 certification of your ISMS - From consulting and planning to implementation and certification: the highest security standards and efficient information security management.

We protect your company from cyber attacks!

Find out more

Information security

Why is information security so essential?

Data and information form the backbone of a successful company. Your protection is therefore essential to avoid damage to your image or financial losses. It's not just technical measures that are crucial. It is equally important to regularly train employees so that security risks can be identified at an early stage and effectively prevented.

Only a holistic strategy that relies on technology and awareness can protect sensitive company assets in the long term. Our experienced experts will advise you and support you on all questions relating to information security. Together we develop individual concepts so that your company is optimally equipped and can continue to operate confidently in the future - even in a networked working world.

Our advice

In a free initial consultation, we will first assess your specific needs. On this basis, we develop an individual package of measures that is optimally tailored to the requirements of your company.

Our offer includes the implementation of a management system for information security, either according to ISO 27001 or according to the automotive standard TISAX® (TISAX® is a registered trademark of the ENX Association). In addition, we provide you with comprehensive advice on meeting the requirements of the NIS 2 directive and the DORA regulations.

Depending on your focus, we also support you in implementing the modernized BSI standards, which include both a general management system for information security as well as the IT-Grundschutz methodology and the core protection of particularly sensitive data. If you wish, we can also take on the training of your employees in order to anchor a holistic security awareness in the company.

Your advantages

Benefit from our collaboration

Security

The security of your data deserves the utmost attention. An information security management system offers you comprehensive protection against misuse and theft.

Speed

Proven methods and standardized processes ensure that existing regulatory gaps in your system are closed quickly.

Customer trust

A high level of information security leads to a trusting relationship between you and your customers. 

Integrative approach

We either integrate the new regulations into your existing documentation systems or provide you with a collaboration platform.

Personal support on site

Unlike many of our competitors, we are available to assist you personally on site whenever you need us.

Process of a consultation on IT security

Our experienced IT security consultants are very familiar with the risks, opportunities and compliance requirements of SMEs, companies and authorities. We advise you across all sectors; our consultants have many years of experience in many areas such as: B. NIS2, banks and insurance companies, KRITIS, telecommunications, health sector and much more. m. Use our specialized advice to ensure your business benefits from optimal protection against potential threats.

1. Setup

We work with your management and IT teams to define the necessary protective measures, taking into account the potential risks to your business. Our goal is to create a tailor-made security concept that meets both the requirements of the industry and your goals such as ISO/IEC 27001, TISAX® or IT-Grundschutz standards.

2. Analysis

Our experienced technical team examines your IT, your infrastructure and your interfaces in detail to determine the necessary security requirements. We go beyond traditional IT compliance verification measures to give you the assurance of a comprehensive risk assessment based on industry best practices.

3. Concept

We create an IT security concept based on your requirements. We develop a comprehensive concept that shows suitable options for implementation. You have the last word!

4. Solution

All necessary measures - from short-term to long-term security measures - are developed and carefully implemented. Technical aspects are seamlessly combined with organizational, personnel and infrastructural considerations to ensure maximum protection against the identified risks.

5. Reporting

Our experienced team ensures that you receive the best support when converting to productive operations - for the success of everyone involved! In addition, we offer regular reports with appropriate documentation as well as special communication channels such as status reports so that vulnerabilities can be remedied quickly and you are always up to date.

6. Advice

With a continuous improvement process (CIP), monitoring during ongoing operations ensures that the IT security concept is always up to date. Regular analysis of the implementation and the defined key performance indicators (KPIs) enables us to react to vulnerabilities or to use newly discovered security gaps for further optimization. We offer you comprehensive strategic end-to-end support in the area of ​​information security - from initial planning to successful implementation. Our team is at your side as a reliable partner and advisor.

Frequently asked questions about IT security

What is meant by information security?

Information security is concerned with protecting all information that exists in an organization - this includes digital data, Paper documents, Knowledge of employees and other confidential information. The overall goal is to... confidentiality, integrity and Availability to ensure the information.

  • confidentiality means that only authorized people have access to information.
  • integrity refers to the fact that information is correct and complete and is not subject to unauthorized alteration.
  • Availability ensures information and systems are accessible when needed.


A notice: Especially in times of increasing cyber threats and complex legal requirements, the topic of information security is becoming increasingly important. External advice can help companies develop tailor-made security concepts both strategically and operationally.

An ISMS is a structured approach, to holistically plan, implement, monitor and continuously improve information security in an organization. It consists of Policies, processes, procedures and controls, designed to ensure that information security objectives are met and risks are appropriately addressed.

Typical components of an ISMS are:

  1. Information security policy: Basic guidelines and objectives.
  2. Risk management process: Identification, assessment and treatment of risks.
  3. Roles and responsibilities: Definition of who is responsible for what.
  4. Training and awareness raising: So that all employees understand the importance of information security.
  5. Control measures: Technical, organizational and physical security measures.
  6. Continuous improvement processes: Regular reviews and audits.


A notice: External advice can significantly speed up the process and ensure that best practices are applied.

The ISO/IEC 27001 is the one globally recognized standard for the introduction and operation of an ISMS. It specifies requirements that organizations must meet in order to implement certified information security management.

  • The ISO/IEC 27001:2022 version contains updated requirements and controls that meet modern IT and information security challenges.
  • She is part of the ISO/IEC 27000 family, which covers various aspects of information security.


ISO/IEC 27001:2022 certification offers companies the objective evidence, that they use best practices and take a systematic approach to information security. This strengthens the trust of customers, business partners and regulators.

A notice: External consultants are often familiar with the latest changes and interpretations of the standard and can help to adapt the ISMS quickly and in accordance with the standard.

Compared to the previous version (ISO/IEC 27001:2013) there are some significant innovations:

  1. Adjustments in Annex A:
    • Controls have been consolidated, restructured and adapted to modern technologies (e.g. cloud, mobile devices).
    • New controls have been introduced on topics such as threat intelligence, configuration management and cloud services.
  2. Sharpening the risk treatment process:
    • Clear guidelines for defining and assessing risks.
    • Detailed documentation and traceability requirements.
  3. Greater involvement of top management:
    • The responsibilities for information security and risk management will be anchored even more intensively at the top management level.
  4. Updated terminology and improved clarity:
    • Modernized terms and more precise wording ensure better understanding.


A notice: Anyone who is already certified according to ISO/IEC 27001:2013 should check early on which adjustments are necessary to maintain the certificate according to ISO/IEC 27001:2022. External advice can help to minimize the conversion effort.

Certification according to ISO/IEC 27001 brings a number of advantages:

  • Building trust: Customers, partners and authorities see that information security is implemented professionally.
  • Competitive advantage: Many tenders and cooperation partners demonstrably demand high security standards.
  • Risk minimization: An ISMS helps to systematically identify and eliminate weak points.
  • Compliance facilitation: A certified ISMS supports the fulfillment of other regulatory requirements such as NIS2, DORA, IT Security Act and GeschGehG.


A notice: External advice can provide particular support when preparing for the certification audit by specifically identifying gaps and introducing best practices.

The NIS2 policy (Network and Information Security Directive) is an EU-wide regulation that replaces the previous Directive (NIS) and tightens its provisions. It expands the circle of companies that are... essential or important facilities apply and sets higher standards for cybersecurity.

  • Reference to ISO/IEC 27001:
    • A structured ISMS according to ISO/IEC 27001 makes it easier for organizations to meet the requirements of the NIS2 directive (e.g. risk management, security incident reporting).
    • The standard provides a systematic framework to establish processes and technical controls to defend against cyber threats.


A notice: External experts know the interfaces between the ISO standard and legal obligations and support the precise implementation.

DORA (Digital Operational Resilience Act) is an EU regulation specifically aimed at the financial sector Protection against cyber risks as well as the Maintaining critical financial services across the EU.

  • Central content:
    1. Risk management in the financial sector: Financial institutions must meet strict requirements to protect themselves against cyber threats.
    2. Reporting requirements: Security incidents must be reported promptly to the relevant authorities.
    3. Information exchange: Promote sharing of cyber incidents between financial institutions.
  • Relevance to ISO/IEC 27001:
    1. An ISMS forms the basis for a structured approach to risk identification, assessment and treatment, which is also necessary for the requirements of DORA.
    2. The documentation requirements in ISO/IEC 27001 support compliance with DORA requirements.


A notice: External advice can be particularly helpful in the financial sector, because in addition to ISO/IEC 27001, additional standards (e.g. BAIT, EBA guidelines) are often relevant.

The German IT Security Act - and its further developments (e.g. IT Security Act 2.0) - stipulates that operators of critical infrastructures (KRITIS) and other important organizations must adequately protect their IT systems.

  • Requirements:
    • Introduction of security standards and reporting requirements for security incidents.
    • Regular audits and tests by the Federal Office for Information Security (BSI).
  • Why important?
    • Violations can lead to high fines, loss of image and strict requirements.
    • Companies must prove that they use the „state of the art“.


A notice: ISO/IEC 27001 certification is often accepted as proof that state-of-the-art technology is being adhered to. External consultants can support the implementation of BSI recommendations and standards.

The Act for the Protection of Trade Secrets (GeschGehG) is intended to protect sensitive operational information – i.e. trade secrets – from unauthorized disclosure or use. Companies have to technical, organizational and contractual measures to secure their know-how.

Interaction with an ISMS:

  • An ISMS according to ISO/IEC 27001 already defines many measures that also serve to protect trade secrets (e.g. access authorizations, encryption, clear processes).
  • Companies can thus efficiently prove that they are adequately protecting their secrets.


A notice: External advice can, for example, help to classify guidelines, establish processes for securing secrets and design the documentation in the ISMS in such a way that the requirements of the GeschGehG are met.

The certification process is divided into several phases:

  1. Project initiation and scope definition:
    • Determine which areas and locations are included in the ISMS.
  2. Risk management:
    • Identification, assessment and treatment of risks.
    • Selection of appropriate controls (according to Annex A of ISO/IEC 27001:2022).
  3. Implementation of the measures:
    • Introduction of policies, processes and technical security solutions.
    • Raising employee awareness.
  4. Internal audits:
    • Examination of the effectiveness of the ISMS by internal auditors.
  5. Management review:
    • Review by management of whether the ISMS meets the defined goals.
  6. Certification audit:
    • An external certifier checks conformity and issues the certificate.


A notice: External consultants can not only provide support with implementation, but also with preparation for the audit - for example through preliminary audits (gap analyses) and training.

The duration depends heavily on the size, Complexity and that existing level of maturity of an organization:

  • Smaller companies With manageable processes, the process can be completed in approx. 6-12 months go through.
  • Medium and large companies or corporations with complex structures and many locations often need it 12-24 months or longer.


Important factors include: Availability of resources, that Top management commitment and the Training needs.

A notice: An external ISMS consultant can help to shorten the time required through targeted project planning by identifying and avoiding typical stumbling blocks at an early stage.

The costs consist of the following components:

  • Internal expenses: Personnel costs for the project team, training, internal audits, etc.
  • External advice: Fees for ISMS experts and special consulting services, if purchased.
  • Certification costs: Fees of the certification company (depending on company size, audit duration).


In general, the cost increases with the Company size and Complexity. Nevertheless, it should be noted that this investment in information security long term Reduced costs due to security incidents, fines or loss of image.

The risk-based approach is a core principle of ISO/IEC 27001. It states that security measures always targeted and proportionate to the identified risks. This is done in a defined manner Risk management process Threats, vulnerabilities and damage impacts are analyzed to derive prioritized measures.

  • Risk assessment: Which risks have a high probability of occurring or a high potential for damage?
  • Risk treatment: What controls or strategies are used to minimize or accept these risks?
  • Continuous process: Risks are constantly changing, so regular reassessment is necessary.


A notice: External advice can help you select sensible risk assessment methods and tools and integrate them into company processes.

Lack of resources: There is often a lack of sufficient qualified personnel and time to deal intensively with the standard and risk management.

Resistance in the company: Employees sometimes perceive the additional documentation effort as bureaucracy.

Lack of safety culture: If top management does not actively demonstrate and communicate the importance of information security, the topic often falls by the wayside.

Technical complexity: Heterogeneous IT landscapes, legacy systems and cloud services can make implementation difficult.

A notice: As a neutral authority, external consultants can mediate internally, design training programs and suggest organizational and technical solutions.

Top management sets the strategic direction determines and establishes the necessary resources available. Furthermore, it creates the Corporate culture, in which information security has a high priority. If managers stand behind the ISMS and communicate this visibly, acceptance increases throughout the company.

Examples of leadership tasks:

  • Definition of the Security goals and guidelines.
  • decision about Risk budgets and strategies.
  • Communication the importance of safety measures to all employees.


A notice: The certification audit explicitly checks whether top management is involved and assumes responsibility. External consultants can conduct workshops with managers to clarify the role of management.

This Statement of Applicability (SoA) is a central document in ISO/IEC 27001 that states:

  1. What controls (from Annex A or additional) for your own ISMS as applicable apply.
  2. Which controls excluded were and why (e.g. because certain risks do not apply).
  3. Justification for the selection or rejection of specific measures.


It serves as Transparency and evidence document for internal and external stakeholders (e.g. auditors, customers, partners). The SoA allows you to understand which security standard the company is striving for and implementing.

A notice: An external consultant can assist in the creation of the SoA by assessing which controls are appropriate or critical and structuring the documentation in a consistent manner.

With the ISO/IEC 27001:2022version, Annex A has been revised. This requires one Update of the SoA to ensure that the new, changed and merged controls are correctly reflected. What is important is:

  • Mapping of the old controls to the new or changed controls.
  • Adaptation the justifications if the requirements or the risk situation have changed.
  • Documentation all changes with clear traceability for internal and external audits.


A notice: External advice can ease the transition by explaining the changes in the standard and supporting the migration process.

Yes, it is actually highly recommended, integrated management systems (IMS). ISO standards often share common principles:

  • Process-oriented approach
  • Risk-based thinking
  • Continuous improvement

Examples of synergy effects:

  • A company that already has a Quality management system (ISO 9001) uses, has established structures for process documentation and internal audits.
  • A Business continuity management system (ISO 22301) and an ISMS complement each other to cover failure scenarios and minimize their effects.


A notice: External consultants who have experience with multiple standards can ensure that documentation and processes do not have to be set up twice and that consistent governance is created.

NIS2 demands a high level from companies (especially critical sectors). IT and cybersecurity and security incident reports. With an ISMS, organizations can more easily meet these requirements because:

  • Risk assessments and security measures are already formalized.
  • Incident management is clearly defined, which makes reporting to authorities easier.


DORA demands comprehensive in the financial sector digital resilience, i.e. the ability to cope with IT disruptions and cyber attacks. An ISMS delivers:

  • Clear processes for dealing with security incidents.
  • Documented monitoring and reporting.
  • Proof of compliance through a structured system.


A notice: External advice can identify interfaces between the ISMS and the legal requirements in order to avoid unnecessary duplication of work.

Employees play one Key function in information security: Even the best technical measures are ineffective if employees e.g. B. falling for phishing emails or passing on passwords. Therefore are regular training and awareness campaigns essential.

Goals of training:

  1. Basics of information security convey.
  2. Behavior in specific situations (e.g. detecting social engineering attacks, dealing with suspicions).
  3. Corporate culture in which security is a given.


A notice: External consultants can develop and deliver customized training programs tailored to the specific industry and risk situation.

Internal audits should take place regularly (at least annually) in order to identify weak points at an early stage and to exploit potential for improvement.

External audits As part of the certification typically takes place in one 3 year cycle:

  1. Certification audit (initial audit)
  2. Annual surveillance audits (surveillance audits)
  3. Re-certification audit after three years


A notice: When companies make significant changes to their ISMS (e.g. new scope, mergers, major technical changes), it may make sense to have additional audits or gap analyzes carried out by an external partner.

Minor Nonconformities: These discrepancies must be resolved within an agreed period of time (often 90 days). The certificate is generally not at risk as long as corrective measures are implemented in a timely manner.

Major Nonconformities: If there are significant gaps in the ISMS or violations of basic standard requirements, the certificate cannot be issued or maintained until the deviations have been permanently remedied.

A notice: External consultants can contact the Corrective action planning and the Implementation help and thus ensure that the nonconformities are closed promptly and effectively.

The standard writes some Mandatory documents before, including:

  1. ISMS guidelines (Policy)
  2. Documented procedures and policies (e.g. risk assessment process, emergency plan)
  3. Risk assessment and Risk treatment plan
  4. Statement of Applicability (SoA)
  5. Documented results (e.g. audit reports, management reviews, corrective actions)


In addition, the standard requires that Records in order to be able to prove the implementation and effectiveness of the ISMS (e.g. logs of security incidents, training participation).


A notice: External consulting can provide templates that meet the standard requirements and support the creation or adaptation of these documents.

An ISMS covers numerous technical controls, for example:

  • Firewalls, Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS)
  • Encryption of data (both storage and transmission)
  • Hardening of systems (hardening) and regular Patch management
  • Identity and access management (IAM) with strong authentication methods
  • Network segmentation to contain the spread of damage
  • SIEM systems (Security Information and Event Management) for real-time monitoring


A notice: External consultants can provide manufacturer-neutral recommendations as to which solutions best suit the respective IT environment.

In addition to technology, organizational aspects are also essential:

  • Role and authorization concepts: Clearly defines who has what rights and why.
  • Contract and supplier management: Security requirements in contracts, verification of service providers.
  • Rules and guidelines (e.g. password policy, bring-your-own-device policy).
  • Incident response processes: What happens in the event of a security incident, who is informed?
  • Emergency planning and business continuity: Ensuring business operations during outages.


A notice: Organizational measures are often underestimated, even though they form the foundation for an effective safety culture. External consultants can help develop workable guidelines.

An ISMS can – and should – scaled become. Small and medium-sized companies (SMEs) can also benefit from an ISMS:

  • Protection of sensitive data (e.g. customer data, intellectual property)
  • Competitive advantage: Especially in industries where customers or partners care about security.
  • Risk awareness: A structured approach helps to prevent cyber attacks or data loss.


The requirements can be summarized in one appropriate size implement so that there is no excessive bureaucratic effort.

A notice: External ISMS consultants can help SMEs to implement the relevant measures „leanly“ and optimize costs.

Authorities appreciate an ISMS certified according to ISO/IEC 27001 as evidence of compliance with the „state of the art“ and practiced compliance.

customers feel confident that their data is protected, which increases customer trust.

Partner see that information security is a core corporate value and can work together smoothly (e.g. in data exchange).

In addition, an ISMS can help, Fines and liability risks to be avoided, as appropriate security measures have been proven to exist.

This Secret Protection Act (GeschGehG) requires proof of appropriate protective measures for company and business secrets. An ISMS according to ISO/IEC 27001 offers a solid basis here:

  • Systematics: The ISMS already defines processes for how information is classified and access rights are assigned.
  • Documentation: The ISMS documents the implementation of measures, which serves as evidence in legal disputes or in an emergency.
  • Continuous improvement: As part of the ISMS, measures are continuously monitored and optimized.


A notice: External consultants can specifically check whether all requirements of the GeschGehG are covered and recommend specific additions.

Experience and best practices: External specialists have often implemented projects in many industries and are familiar with typical pitfalls.

Independent point of view: Consultants bring objectivity and identify optimization potential that internal teams might overlook.

Time and cost efficiency: With well-established methods and processes, the creation or improvement of an ISMS can be done more quickly.

Know-how transfer: The internal team learns from experts and can later apply the knowledge independently.

In addition, external consultants are usually always up to date with regard to legal changes (NIS2, DORA, IT Security Act etc.) and technical trends.

Sustainable competence building: The internal team benefits from the transfer of knowledge and can master future challenges independently.

Proactive risk management: Thanks to regular updates on standards and best practices, companies stay at the current level of security.

Reduced risk of errors: The expertise of experienced consultants minimizes the risk of costly wrong decisions or compliance violations.

Holistic implementation: External consultants not only look at technology, but also processes, organization and culture - for a comprehensive security concept.

In this way, the ISMS evolves into one strategic instrument, which not only creates security, but also the Value creation strengthens a company and opens up new business opportunities.

Your experts in IT security issues for Dresden

Whether CISO, CIO, IT director, IT manager or person responsible for IT security – our experienced IT security experts have extensive practical experience and develop tailor-made solutions that are perfectly tailored to the needs of your company.

  • Many years of experience in management systems with a focus on ISO 9001, 14001, 27001, 27701, 22301
  • Advice for DAX
  • Implementation, auditing, certification
  • ISO 9001 Lead Auditor, ISO 14001 Lead Auditor
  • EMAS environmental verifier
  • ISO/IEC 27001 Lead Auditor, ISO/IEC 27001 Lead Implementer, ISO 22301 Lead Auditor
  • Data protection officer (TÜV), data protection auditor (TÜV).
  • Digital Transformation Manager (TÜV), Business Continuity Manager (TÜV).
  • PMP, PRINCE2, MSP, ITIL Expert, CISSP, CISSP-ISSAP, CISM
  • Development of training material on IT security and management systems
  • Conference speaker

Initial consultation free of charge

Would you like to introduce a management system for information security? We operate in Dresden, Germany, Austria and Switzerland and support you.