Customised ISMS Policy Templates

Customised templates for ISMS and BCMS policies, tailored specifically to your company and compliant with ISO 27001, TISAX®, KRITIS, NIS2 and other standards. Tested, up-to-date and proven.

"We just use a few templates"

If only it were how easy!

Guidelines and policies are the highway code in information security. The various standards and laws such as ISO 27001, TISAX®, BSI IT-Grundschutz, KRITIS, NIS2 and others require a whole host of general as well as topic-specific guidelines.

These define and adopt the individual rules within an organisation and thus declare them to be binding. None of this works with off-the-shelf templates, because:

Isms Policies

An ISMS in accordance with ISO 27001 adapts to the company, not the other way round.

More than policy templates: Let's tackle it together!

Benefit from our many years of expertise in setting up information security management systems (ISMS) and preparing companies of all sizes for certification. The biggest challenges that companies face:

  • Approach and structure: Where do I actually start? How many resources do I need? We take you by the hand and support you in the introduction and implementation of an ISMS in accordance with ISO 27001, TISAX® and KRITIS, including gap analysis, policy creation, internal audit and certification preparation.
  • ISO 27001 offers a lot of room for interpretation: these standards mainly describe what needs to be implemented, but do not provide any specific instructions on how this should be done. Our added value: We are ISMS auditors ourselves and know what is important. We translate unwieldy standards into concrete measures. Our aim is to define effective processes and policies while remaining pragmatic.

  • Resources and prioritisation: From our experience, we know that many ISO experts specialise in certain areas, be it policies, IT or awareness. However, all three areas are important for successful and sustainable certification. As your partner, we are at your side for each of these aspects.
  • Professional preparation for ISO 27001, TISAX®, KRITIS and DVO 2019/1583 certification: As we work as auditors for certification bodies ourselves, we know exactly what is important. This enables us to prepare you specifically for successful certification.

Our customised templates for ISMS policies

We have practical guidelines and policies for almost all relevant areas that have been practised in certified companies for years. There is no need to reinvent the wheel here. The efficient way is to use templates, shorten them and adapt them to your company's specifics. The following policy templates can be used on request as part of our consulting services:


  • Scope-Document
  • ISMS KPIs Catalogue
  • Management report
  • Document control
  • Security policy or guideline

Target group 'employees'

Specific topics

  • Security for mobile working and home office
  • Physical security
  • Security in dealing with service providers and suppliers
  • Personal safety
IT specific
  • Incident Management
    [Download sample as PDF]
  • IT-Admin-Policy or secure IT operations
  • Backup concept
  • IAM & Access Control
  • Secure software development
  • Security concepts for KRITIS systems
  • Process description Vulnerability Management
  • Cloud policy
BCM / crisis management
  • IT Emergency Management Manual
  • Crisis Management Manual
  • BCMS concept
  • Emergency concept
  • Ransomware checklist

Our motto for policies: The defined rules are effective (achieve the desired level of security), economical (reasonable cost-benefit ratio) and attractive (are easy to understand and fit in with the corporate culture).

Why customised ISMS policies are important

  • Consideration of the organisational culture: Every company is unique. Factors such as business purpose, industry, company size and the level of development of management systems play a decisive role in defining suitable security measures. While generic policy templates are cost-effective, they often do not do justice to the specific requirements and circumstances of your organisation.
  • Individual starting position: The motivations and drivers for information security vary greatly between companies and sectors. In addition to their own motivation, legal requirements such as KRITIS, NIS-2 or customer expectations often take centre stage. Generic policy templates rarely cover the specific starting conditions of a company in a meaningful way, and the effort required to customise them to your individual needs remains.
  • Individual threat situation: Every organisation has a unique threat situation. In order to make the requirements of the guidelines effective, this specific threat situation must be taken into account. Generic templates cannot comprehensively cover the individual risks and therefore may not provide sufficient protection.

Prices and advice

Let us work with you to develop customised ISMS guidelines that are tailored precisely to your needs. By using our templates, we can quickly define the required guidelines and processes, leaving more time to implement the described requirements.
Let's talk

Over 500 satisfied customers

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Munich Airport

Frequently asked questions about ISMS policies

An ISMS guideline is an overarching, strategic document in which the framework conditions, principles and measures for the protection of information within an organisation are defined. In addition to the why, i.e. the motivation for information security, the objective, the scope of application and the framework conditions for achieving the defined objectives (required roles and responsibilities, principles, etc.) are described.

In addition to an ISMS guideline, which normally does not define any specific requirements but merely describes the basic framework for establishing an ISMS, there are usually several guidelines on the various subject areas with specific requirements.

Templates provide a starting point by containing the essential topics required by a standard. They are then customised to the specific requirements of your company.

By customising policies, company-specific framework conditions (including the intended security level, the individual threat situation and other important factors) can be taken into account appropriately.

Thanks to our many years of experience in numerous consulting projects, we have a constantly growing pool of templates at our disposal. The policies customised by our consultants are regularly reviewed as part of audits, continuously developed and kept up to date with the latest technology.

As a security boutique, our aim is to develop effective, customised processes and guidelines. Of course, we do not constantly reinvent the wheel and draw on our set of templates for security guidelines and processes. However, in our opinion, added value is only created when the security guidelines and specifications cover the desired level of security, the cost-benefit ratio of the defined specifications is appropriate and the rules they contain are understandable for the target group. A template cannot provide this added value, which is why we rely on the expertise of our consultants.

Unfortunately, a generalised answer is not possible here. Isolated documents (e.g. information security guidelines, guidelines for information classification, risk management processes) can be created and finalised in around 5 days. For more complex topics such as a guideline on secure IT operations or a guideline on secure software development, up to 10 days. Please contact us so that we can understand your individual requirements and prepare a customised offer for you.

ISMS stands for Information Security Management System. It is a management system designed to protect the confidentiality, integrity and availability of information.

BCMS stands for Business Continuity Management System. The aim of a BCMS is to ensure the maintenance or continuation of business operations - even or especially in the event of disruptions.

A BCMS (Business Continuity Management System) focuses on reducing the probability of business interruptions on the one hand, but also on being able to continue operating time-critical business processes and workflows in the event of disruptions on the other. An ISMS focusses on the availability, confidentiality and integrity of (electronic, but also physical) information.

The ISMS guideline is the overarching document that describes the scope of the ISMS, its objectives and the underlying strategy.

An ISMS is an umbrella term for all processes, procedures and responsibilities for ensuring the confidentiality, availability and integrity of information. This includes the following components:

  1. Responsibilities: All roles required for the operation of the ISMS must be defined. These include in particular
    • Top management: Overall responsibility for information security
    • Information security officer: Responsibility for establishing and continuously developing the ISMS.
    • Asset manager: Responsibility for the security of the systems and assets operated.
    • Employees: responsible for ensuring that security is practised in day-to-day operations.
  2. Security processes and guidelines: Definition of all necessary security guidelines (e.g. use of IT systems, handling of information, physical security or for the secure operation of IT systems, ...) and processes (security incident management process, information security risk management process, ...).
  3. Risk management: Identification and evaluation of the most important assets for the company and the relevant risks. It is important to invest limited resources in the treatment of the greatest risks so that they can be used in a targeted manner.
  4. Training and awareness: The effectiveness of security stands and falls with correct behaviour. It is therefore essential that all employees are aware of the security guidelines, procedures and best practices.
  5. Monitoring and review: The ISMS must be regularly scrutinised and reviewed - e.g. with the help of key performance indicators or in the form of internal audits.
  6. Continuous improvement: Identification of opportunities for improvement and implementation of measures for the continuous development of the ISMS.

Some companies are legally obliged to set up an ISMS and regularly demonstrate its effectiveness. These include, for example, operators of critical infrastructures (KRITIS) and companies in the aviation security sector. More and more customers expect their partners or service providers to establish an ISMS to ensure security along the value chain.

With over 50 highly qualified cyber security experts and more than 20 years of experience, we support 500+ satisfied customers - including 50% of DAX companies and hundreds of medium-sized companies.

In addition, we have already sensitised over 1 million employees, managers, administrators and developers with our awareness training courses.

We are convinced that the values of our society must also be protected in cyberspace. That is why we help organisations to protect themselves with the right combination of technologies, processes and people.

In concrete terms, this means

  • We make individual risks and threats tangible and understandable (Identify)
  • We increase resilience to cyber attacks through targeted measures (Protect)
  • We develop concepts to recognise cyber attacks promptly (Detect)
  • We limit the damage caused by cyber attacks through good preparation and a professional response (Respond)
  • We help companies to get back up and running quickly after an attack (Recover)

In all of this, we take the approach of transferring successful cyber security strategies from corporate groups to SMEs with a sense of proportion and pragmatism, using high-quality best practices and standards.

In short: we see ourselves as a "boutique" and deliver class instead of mass.

Convinced? Let's tackle it together!