Establish an ISMS according to NIS-2

NIS-2 Gap Analysis

The first step is an NIS-2 gap analysis. Through a mixture of document review and interview sessions with the relevant departments, our experienced consultants assess and evaluate the status of your current implementation based on the requirements of NIS-2.

This NIS-2 gap analysis gives you and us a clear picture and enables us to realistically estimate the implementation effort, clearly structure the project and define the necessary work packages.

If you have already carried out a gap analysis, we will work with this and will not carry it out again.

  Where are you currently?

Establish framework

Once we have identified the fields of action, we work with you to create the framework and foundation for a functioning ISMS that meets the requirements of NIS-2:

• We define the scope, based on the requirements of your stakeholders (e.g. management, parent company, client or business contacts).
• We define and establish the security policy and objectives.
• We clarify the required security organization including roles, committees and their responsibilities.
• We create the necessary project organization for setting up the ISMS. 

  Creating the right basis!

Set up guidelines

We can only achieve the defined information security objectives by establishing clear and unambiguous rules. We define these “rules” in various guidelines, both for the entire workforce within the scope of the ISMS and for specific areas or target groups (e.g. IT admins, software development, purchasing, human resources or facility management).

We do not reinvent the wheel here, but use our numerous templates, which have already been successfully tested in practice for several years and are regularly updated so that they always correspond to the state of the art.

We coordinate the guidelines with the necessary people in the specialist departments and integrate them into the relevant business areas. 

  No ISMS without clear guidelines

Information Security Risk Management

Information security risk management (InfoSec risk management) is at the heart of an effective ISMS in accordance with NIS-2, as it helps you to distinguish the important from the unimportant and always proceed pragmatically.

We work with you to create the necessary structural and procedural organization to record, evaluate, handle (i.e. derive appropriate measures) and document all relevant information security risks in a structured and systematic manner.

If you already have a risk management system or your own risk management approach in your company, we will build on this and add any missing relevant aspects of NIS-2.

  Identify risks and derive measures

Implement measures

Internal audit

In order to check the effectiveness of the established ISMS, internal ISMS audits should be carried out regularly - and rightly so, as internal audits put the effectiveness of the established ISMS to the test, among other things.

Added value of internal ISMS audits:

• Statement on the effectiveness and maturity level of the ISMS.
• Technical and organizational weaknesses can be identified in a structured manner through audits

  Let's see how good the work is that we have done so far

Provision of proof

The short answer is “it depends”. But what does it actually depend on?

• Operators of critical infrastructures (which count as “essential entities”) must provide evidence of the implementation of the requirements every 3 years (typically in the form of audits, tests or relevant certifications such as ISO 27001) and the results of these tests must be submitted to the BSI.  
• Essential entities do not currently have to provide regular evidence. However, the BSI has the right to demand corresponding proof of implementation or to check compliance with the requirements.  
• There are also currently no regular verification obligations for important entities. Here too, the BSI requested the right to check the implementation of the requirements.

  The reward for the work - give me the proof