Customised ISMS Policy Templates

Customised templates for ISMS and BCMS policies, tailored specifically to your company and compliant with ISO 27001, TISAX®, KRITIS, NIS2 and other standards. Tested, up-to-date and proven.

"We just use a few templates"

If only it were how easy!

Guidelines and policies are the highway code in information security. The various standards and laws such as ISO 27001, TISAX®, BSI IT-Grundschutz, KRITIS, NIS2 and others require a whole host of general as well as topic-specific guidelines.

These define and adopt the individual rules within an organisation and thus declare them to be binding. None of this works with off-the-shelf templates, because:

Isms Policies

An ISMS in accordance with ISO 27001 adapts to the company, not the other way round.

More than policy templates: Let's tackle it together!

Benefit from our many years of expertise in setting up information security management systems (ISMS) and preparing companies of all sizes for certification. The biggest challenges that companies face:

  • Structure: Where do I actually start? How many resources do I need? We take you by the hand and support you in the introduction and implementation of an ISMS in accordance with ISO 27001, TISAX® and KRITIS, including gap analysis, policy creation, internal audit and certification preparation.
  • ISO 27001 and the like are very open to interpretation: every organisation is unique. ISO offers little concrete guidance, but must be tailored specifically to your company - just like your guidelines/policies. We support you with pragmatic measures, customised templates and advice that will save you a lot of time and stress.
  • Resources and prioritisation: From our experience, we know that many ISO experts specialise in certain areas, be it policies, IT or awareness. However, all three areas are important for successful and sustainable certification. As your partner, we are at your side for each of these aspects.
  • Auditing in accordance with ISO 27001, TISAX®, KRITIS and DVO 2019/1583: As auditors for all common standards, we work closely with TÜV Nord to conduct internal and external audits and get your company successfully over the finish line.

With our comprehensive approach, we support you on the way to successful ISMS certification - with heart, pragmatism and understanding.

Our customised templates for ISMS policies

We have practical guidelines and policies for almost all relevant areas that have been practised in certified companies for years. There is no need to reinvent the wheel here. The efficient way is to use templates, shorten them and adapt them to your company's specifics. The following policy templates can be used on request as part of our consulting services:


  • Scope-Document
  • Key figures
  • Management report
  • Document control
  • Security policy or guideline

Target group 'employees'

Specific topics

  • Mobile working / home office
  • Physical security 
  • Prototype protection (TISAX)
  • Supplier security
  • Personal safety
IT specific
  • Incident Management
    [Download sample as PDF]
  • IT-Admin-Policy or secure IT operations
  • Backup concept
  • IAM & Access Control
  • Secure software development
  • Security concept (KRITIS)
  • Process description Vulnerability Management
  • Cloud policy
BCM / crisis management
  • IT Emergency Management Manual
    [Download sample as PDF]
  • Crisis Management Manual
  • BCMS concept
  • Emergency concept
  • Ransomware checklist

Our motto for policies: The defined rules are effective (achieve the desired level of security), economical (reasonable cost-benefit ratio) and attractive (are easy to understand and fit in with the corporate culture).

Why customised ISMS policies are important

  • Optimisation of security measures: Customised ISMS policies allow companies to tailor their security measures to their individual needs and risks, enabling a more effective security strategy.
  • Compliance with legal requirements: By tailoring ISMS policies to address your organisation's specific legal requirements and regulations, you can ensure that you meet all necessary compliance standards.
  • Protection of sensitive data: By developing customised ISMS policies, companies can ensure that sensitive data is adequately protected and that the confidentiality, integrity and availability of this data is guaranteed.
  • Risk management: Tailored ISMS policies enable companies to identify, assess and minimise their specific risks, resulting in an improved risk management strategy.
  • Adaptation to changing threats: By regularly reviewing and updating customised ISMS policies, companies can ensure that their security measures are continuously adapted to changing threats and technologies.
  • Trust and credibility: Implementing customised ISMS policies demonstrates to customers, business partners and other stakeholders that your company is actively committed to information security, which builds trust and credibility.
  • Cost-efficiency: Customised ISMS policies can help improve the efficiency and cost-effectiveness of security measures by better targeting resources and avoiding unnecessary expenditure.
  • Competitive advantage: Organisations with tailored ISMS policies can differentiate themselves from competitors by demonstrating a higher level of cyber security and compliance, which can lead to a competitive advantage.

Prices and advice

Let's work together to develop customised ISMS guidelines that are precisely tailored to your needs. Contact us now for a personalised consultation.
Let's talk

Over 500 satisfied customers

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Munich Airport

Frequently asked questions about ISMS policies

On the one hand, an ISMS policy document is specified by a standard. However, it actually acts as a guide for employees to ensure the security of company information in various areas.

Templates provide a starting point by containing the essential topics required by a standard. They are then customised to the specific requirements of your company.

Many employees cannot identify with generic policies as they may use different systems to those described in the policy. A policy tailored to your company takes into account all the specific features and circumstances of your organisation.

Thanks to our many years of experience, we have a constantly growing pool of templates that we can adapt to all the specific features and circumstances of your company and are always at the cutting edge of technology.

A template without advice corresponds to a standard template. We support you in optimally adapting your ISMS to the needs and circumstances of your company.

Unfortunately, a generalised answer is not possible here. The costs can vary between 20 and 60 person days depending on the size of the company. Please contact us so that we can understand your individual requirements and prepare a customised offer for you.

ISMS stands for Information Security Management System. It is a management system designed to protect the confidentiality, integrity and availability of information.

BCMS stands for Business Continuity Management System. It is a management system designed to ensure the continuous operation of a company, even if a failure occurs.

BCMS and ISMS are two different management systems that go hand in hand. The BCMS (Business Continuity Management System) focuses mainly on preventive protective measures and ensuring business continuity in the event of disruptions. The ISMS (Information Security Management System), on the other hand, focuses on protecting the confidentiality, integrity and availability of data.

The ISMS guideline is the overarching document that describes the scope of the ISMS, its objectives and the underlying strategy.

An ISMS is a structured approach to managing information and its security in an organisation. It consists of several main components:

  1. Risk assessment and management: identifying information and assets, assessing the associated risks and implementing risk mitigation measures.
  2. Policies and procedures: Establishing security policies and procedures that form the basis for the secure handling of information within the organisation.
  3. Organisational structure: Clear assignment of responsibilities and authorities with regard to information security, including the appointment of an information security officer (ISO) or a security team.
  4. Training and awareness: Training employees on security policies, procedures and best practices and promoting security awareness throughout the organisation.
  5. Monitoring and review: Continuously monitoring information security measures, conducting security audits and regularly reviewing the ISMS to ensure it is effective and meets changing requirements.
  6. Continuous improvement: Identifying opportunities for improvement and implementing measures to continuously develop the ISMS.

An effective ISMS provides a holistic approach to information security that aims to minimise risk, ensure the confidentiality, integrity and availability of information and ensure compliance with relevant laws and regulations.

Companies in the critical infrastructure sector (KRITIS) and companies in the aviation security industry are required by law to have an ISMS. Customers and partners often also have requirements for an ISMS, for example to ensure the continuous functioning of the supply chain.

With over 50 highly qualified cyber security experts and more than 20 years of experience, we support 500+ satisfied customers - including 50% of DAX companies and hundreds of medium-sized companies.

In addition, we have already sensitised over 1 million employees, managers, administrators and developers with our awareness training courses.

We are convinced that the values of our society must also be protected in cyberspace. That is why we help organisations to protect themselves with the right combination of technologies, processes and people.

In concrete terms, this means

  • We make individual risks and threats tangible and understandable (Identify)
  • We increase resilience to cyber attacks through targeted measures (Protect)
  • We develop concepts to recognise cyber attacks promptly (Detect)
  • We limit the damage caused by cyber attacks through good preparation and a professional response (Respond)
  • We help companies to get back up and running quickly after an attack (Recover)

In all of this, we take the approach of transferring successful cyber security strategies from corporate groups to SMEs with a sense of proportion and pragmatism, using high-quality best practices and standards.

In short: we see ourselves as a "boutique" and deliver class instead of mass.

Convinced? Let's tackle it together!