500+ customers place their trust in us – from startups to large companies
You might think:
"We'll just use a few templates"
If only it were this easy! Guidelines and policies are like the highway code of information security. All the various standards and laws such as ISO 27001, TISAX®, BSI IT-Grundschutz, KRITIS, NIS2 and others require a whole host of general as well as topic-specific guidelines.
These policies define the individual rules within an organization and declare them to be binding. None of this works with off-the-shelf templates, because:
An ISMS according to ISO 27001 should adapt to your company, not the other way round.
More than policy templates: Let's tackle it together!
Benefit from our many years of expertise in setting up information security management systems (ISMS) and preparing certification for companies of all sizes. Here are some of the biggest challenges:
Approach and structure
Where do you actually start? Which resources do you require? We'll take you by the hand and will support you in introducing and implementing an ISMS in accordance with ISO 27001, TISAX® and KRITIS, including a gap analysis, policy creation, an internal audit and professional preparation for your certification with our in-house expertise as ISMS auditors.
Scope for interpretation
ISO 27001 leaves a lot of room for interpretation: these standards mainly describe what needs to be implemented, but not how this should be done. Our added value: We are ISMS auditors ourselves and know what's actually important. We translate unwieldy standards into concrete measures. Our aim is to define effective processes and policies while remaining pragmatic.
Resources and prioritisation
From our experience, we can say that many ISO experts tend to specialize only in certain areas such as policies, IT systems or awareness. However, we're convinced that all three of these areas are fundamental for successful and sustainable certification. As your partner, we are at your side with a high level of expertise in each of these areas.
Preparation for certification
We offer you truly professional preparation for ISO 27001, TISAX®, KRITIS and DVO 2019/1583 certification: As we work as ISMS auditors for certification bodies ourselves, we know exactly what's important from the field. This enables us to prepare you specifically and make successful certification a matter of course.
Our customized templates for ISMS policies
We have practical templates for almost all relevant areas that have all been used in certified companies for years. There is no need to reinvent the wheel. The most efficient way is to use our templates and adapt them to your company's specifics. The following policy templates can be used on request as part of our consulting services:
ISMS
IT specific
BCM / crisis management
ISMS Documentation
- Scope document
- ISMS KPIs Catalogue
- Management report
- Document control
- Security policy or guideline
Target group 'employees'
- Policy on the Acceptable Use of IT Systems
- Information classification
- Specific topics
Security for mobile working
- Physical security
- Security in dealing with service providers and suppliers
- Personal safety
IT-specific
- Incident Management [Download sample as PDF]
- IT-Admin-Policy or secure IT operations
- Backup concept
- IAM & Access Control
- Secure software development
- Security concepts for KRITIS systems
- Process description Vulnerability Management
- Cloud policy
BCM / crisis management
- IT Emergency Management Manual
- Crisis Management Manual
- BCMS concept
- Emergency concept
- Ransomware checklist
Our motto for policies
The defined rules have to be effective (achieve the desired level of security), economical (have a reasonable cost-benefit ratio) and attractive (are easy to understand and fit in with the corporate culture).
Why customized ISMS policies are important
Consideration of culture
Every organization is unique with its very own company culture. Factors such as business purpose, industry, company size and the level of development of management systems play a decisive role in defining suitable security measures. While generic policy templates are cost-effective, they often do not do justice to the specific requirements and circumstances of your organisation.
Different starting positions
The motivations for more information security vary greatly between companies and sectors. In addition to their own motivation, legal requirements such as KRITIS, NIS-2 or customer expectations often play an important role. Generic policy templates rarely cover the specific conditions of a company in a meaningful way, and the effort required to customize them to your individual needs remains.
Individual threat situation
Every organisation has its own unique threat situation depending on the size, industry and existing infrastructure. In order to make the requirements of your guidelines most effective, this specific threat situation must be taken into consideration. Generic templates may be inefficient while not comprehensively covering the individual risks and therefore not providing sufficient protection.
Pricing and consultation
Let us work with you to develop customized ISMS guidelines that are tailored precisely to your needs. By using our templates, we can quickly define the required guidelines and processes, leaving more time to implement the defined requirements.
Frequently asked questions about ISMS policies
An ISMS guideline is an overarching, strategic document in which the framework conditions, principles and measures for the protection of information within an organisation are defined. In addition to the why, i.e. the motivation for information security, the objective, the scope of application and the framework conditions for achieving the defined objectives (required roles and responsibilities, principles, etc.) are described.
In addition to an ISMS guideline, which normally does not define any specific requirements but merely describes the basic framework for establishing an ISMS, there are usually several guidelines on the various subject areas with specific requirements.
Templates provide a starting point by containing the essential topics required by a standard. They are then customised to the specific requirements of your company.
By customising policies, company-specific framework conditions (including the intended security level, the individual threat situation and other important factors) can be taken into account appropriately.
Thanks to our many years of experience in numerous consulting projects, we have a constantly growing pool of templates at our disposal. The policies customised by our consultants are regularly reviewed as part of audits, continuously developed and kept up to date with the latest technology.
As a security boutique, our aim is to develop effective, customised processes and guidelines. Of course, we do not constantly reinvent the wheel and draw on our set of templates for security guidelines and processes. However, in our opinion, added value is only created when the security guidelines and specifications cover the desired level of security, the cost-benefit ratio of the defined specifications is appropriate and the rules they contain are understandable for the target group. A template cannot provide this added value, which is why we rely on the expertise of our consultants.
Unfortunately, a generalised answer is not possible here. Isolated documents (e.g. information security guidelines, guidelines for information classification, risk management processes) can be created and finalised in around 5 days. For more complex topics such as a guideline on secure IT operations or a guideline on secure software development, up to 10 days. Please contact us so that we can understand your individual requirements and prepare a customised offer for you.
ISMS stands for Information Security Management System. It is a management system designed to protect the confidentiality, integrity and availability of information.
BCMS stands for Business Continuity Management System. The aim of a BCMS is to ensure the maintenance or continuation of business operations - even or especially in the event of disruptions.
A BCMS (Business Continuity Management System) focuses on reducing the probability of business interruptions on the one hand, but also on being able to continue operating time-critical business processes and workflows in the event of disruptions on the other. An ISMS focusses on the availability, confidentiality and integrity of (electronic, but also physical) information.
The ISMS guideline is the overarching document that describes the scope of the ISMS, its objectives and the underlying strategy.
An ISMS is an umbrella term for all processes, procedures and responsibilities for ensuring the confidentiality, availability and integrity of information. This includes the following components:
Responsibilities:
- All roles required for the operation of the ISMS must be defined. These include in particular
Top management: Overall responsibility for information security - Information security officer: Responsibility for establishing and continuously developing the ISMS.
- Asset manager: Responsibility for the security of the systems and assets operated.
- Employees: responsible for ensuring that security is practised in day-to-day operations.
Security processes and guidelines: Definition of all necessary security guidelines (e.g. use of IT systems, handling of information, physical security or for the secure operation of IT systems, ...) and processes (security incident management process, information security risk management process, ...).
Risk management: Identification and evaluation of the most important assets for the company and the relevant risks. It is important to invest limited resources in the treatment of the greatest risks so that they can be used in a targeted manner.
Training and awareness: The effectiveness of security stands and falls with correct behaviour. It is therefore essential that all employees are aware of the security guidelines, procedures and best practices.
Monitoring and review: The ISMS must be regularly scrutinised and reviewed - e.g. with the help of key performance indicators or in the form of internal audits.
Continuous improvement: Identification of opportunities for improvement and implementation of measures for the continuous development of the ISMS.
Some companies are legally obliged to set up an ISMS and regularly demonstrate its effectiveness. These include, for example, operators of critical infrastructures (KRITIS) and companies in the aviation security sector. More and more customers expect their partners or service providers to establish an ISMS to ensure security along the value chain.
With over 50 highly qualified cyber security experts and more than 20 years of experience, we support 500+ satisfied customers - including 50% of DAX companies and hundreds of medium-sized companies.
In addition, we have already sensitised over 1 million employees, managers, administrators and developers with our awareness training courses.
We are convinced that the values of our society must also be protected in cyberspace. That is why we help organisations to protect themselves with the right combination of technologies, processes and people.
In concrete terms, this means
- We make individual risks and threats tangible and understandable (Identify)
- We increase resilience to cyber attacks through targeted measures (Protect)
- We develop concepts to recognise cyber attacks promptly (Detect)
- We limit the damage caused by cyber attacks through good preparation and a professional response (Respond)
- We help companies to get back up and running quickly after an attack (Recover)
In all of this, we take the approach of transferring successful cyber security strategies from corporate groups to SMEs with a sense of proportion and pragmatism, using high-quality best practices and standards.
In short: we see ourselves as a "boutique" and deliver class instead of mass.
Convinced? Let's tackle it together!
Let's tackle it together!
Other services that might interest you
Protect your sensitive business information according to best practices.
Find out how to protect your relevant company information in accordance with VDA ISA.
We work with you to design your company-specific ISMS for KRITIS companies, establish the necessary processes and guidelines and anchor them in the company. Request support now!
Effective risk management for your information security: protect critical assets, identify risks and implement targeted measures to minimize risks. Request support now!