Blog
Knowledge & Practice
Practical knowledge for CISOs, IT managers, and executives
NIS2 for SMEs: What You Need to Know and What to Do Now
Since December 2025, NIS2 applies in Germany as well. For mid-market companies with 50 or more employees or over EUR 10 million in revenue, this me...
NIS2 Initial Report to the BSI: Content, Deadlines, and Template
The NIS2 initial report must reach the BSI within 24 hours. This article shows you what mandatory information the report must contain, when an inci...
NIS2 Reporting Deadlines at a Glance: 24h, 72h, 1 Month — What Is Due When
NIS2 requires three reporting stages for security incidents: initial report within 24 hours, update after 72 hours, and final report after one mont...
NIS2 Fines: Who Is Liable and How High Are the Penalties?
NIS2 brings significant fines and personal liability for management. Up to EUR 10 million or 2% of global annual revenue for violations. We explain...
NIS2 vs. ISO 27001: Differences, Similarities, and How Both Fit Together
NIS2 is a law, ISO 27001 is a standard. Both require an ISMS, but with different focus areas. This article shows you where requirements overlap, wh...
Which Frameworks Do I Need? NIS2, ISO 27001, BSI IT-Grundschutz, TISAX Compared
Six frameworks, six different approaches — but which one do you actually need? This article compares NIS2, ISO 27001, BSI IT-Grundschutz, TISAX, BS...
Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
Building an ISMS sounds like a mammoth project. This guide shows you step by step how to introduce an information security management system based ...
Defining the Scope: What Belongs in the ISMS and What Does Not?
The scope is the foundation of every ISMS. If you define it incorrectly, you are building on sand. This article shows you step by step how to prope...
Creating a Statement of Applicability (SoA): Selecting and Justifying Controls
The SoA is the centerpiece of your ISMS. Learn how to systematically evaluate ISO 27001 Annex A controls, justify applicability, and document imple...
Key ISMS Roles: ISM, CISO, Risk Owner – Who Does What?
ISM, CISO, risk owner, asset owner – an ISMS depends on clearly assigned responsibilities. This article shows which roles you need, what each role ...
NIS2 for Food Manufacturers and Wholesale Distributors
The food industry is classified as a sector of high criticality under NIS2. Cold chains, ERP systems, inventory management, and HACCP interfaces cr...
Writing an Information Security Policy: Structure, Content, and Example
The information security policy is the foundation of every ISMS. This guide shows you the structure, mandatory content per ISO 27001, sample wordin...
Creating a Password Policy: Requirements, Example, and Enforcement
A password policy is among the most fundamental documents of any ISMS. This article shows you what BSI and NIST currently recommend, how to formula...
Mobile Device Usage Policy (BYOD/MDM)
Mobile devices are indispensable in today's work environment but bring significant security risks. This article explains the differences between BY...
Access Control Policy: Physical and Logical
Physical and logical access control form the foundation of every ISMS. This article explains the difference between physical and logical controls, ...
Policy Lifecycle: From Creation to Retirement
Writing policies is only the beginning. To remain effective, they need a defined lifecycle: drafting, review, approval, publication, acknowledgment...
Risk Assessment in the ISMS: Methodology, Matrix, and Practical Example
The risk assessment is the heart of every ISMS. This article shows you step by step how to conduct a qualitative risk assessment with a 5x5 matrix,...
Risk Treatment: Mitigate, Accept, Transfer, or Avoid
After the risk assessment comes the decisive question: What now? This article explains the four treatment options in an ISMS, demonstrates with pra...
Top 10 Information Security Risks for Mid-Market Companies
Which information security risks hit SMEs the hardest? This article analyzes the ten most common risks with likelihood, typical impact, and concret...
Detecting, Assessing, and Reporting a Security Incident - The Complete Process
Ransomware encrypts the network, an employee clicks a phishing link, the monitoring system raises an alarm - and then? This article describes the c...
Your First 100 Days as a CISO (Information Security Officer): Priorities, Quick Wins, and Pitfalls
You've just taken on the role of CISO (Information Security Officer) and wondering where to start? This article gives you a concrete roadmap for yo...
Reporting a GDPR Data Breach: When, How, and to Whom
72 hours. That is how much time you have to report a notifiable data breach to the supervisory authority. This article explains when a data breach ...
Data Sovereignty in Your ISMS: Why Your Risk Register Doesn't Belong in the Cloud
Your ISMS contains the most sensitive data in your organization: vulnerabilities, risk registers, incident details, audit reports. Entrusting this ...
CLOUD Act, Schrems II, and Your ISMS: What You Need to Know About US Government Data Access
The CLOUD Act gives US authorities access to data held by US providers, regardless of where the servers are located. Schrems II blew up the foundat...
Vendor Lock-in in Compliance Software: How to Keep Control of Your ISMS
Proprietary data formats, missing export functions, opaque contract terms: vendor lock-in is a real risk in compliance software with costly consequ...
SaaS vs. Self-Hosted: The True Cost of Compliance Software Over 5 Years
License costs are just the tip of the iceberg. This article calculates what SaaS compliance tools and self-hosted solutions actually cost over five...
ISMS Audit and Data Storage: Why the Auditor Wants to Know Where Your Data Resides
In the certification audit, the auditor asks not only about policies and processes but also about where your ISMS data actually resides. Cloud sub-...
Self-Hosted ISMS with Docker: Setup, Backup, and Maintenance in Practice
ISMS Lite runs with a single command on your own server. This article shows you the complete setup with Docker Compose, explains the architecture b...
GDPR-Compliant ISMS Hosting: Requirements for Storing Your Compliance Data
An ISMS tool processes personal data: names of risk owners, training participants, auditors. This brings it under the DSGVO (GDPR). This article sh...
Your Company's Crown Jewels: Why ISMS Data Needs Special Protection
Your ISMS documents every vulnerability, every open control status, and every risk assessment in your organization. For an attacker, that is more v...
Creating an Incident Response Plan: Template and Practical Example
An incident response plan describes who does what during a security incident, in what order, and with what resources. This article provides the com...
NIS2 and Data Sovereignty: What the Directive Says About Controlling Your Data
NIS2 demands not only technical security, but also sets requirements for control over your data and supply chains. This article shows how data sove...
Securing ISMS Data: Backup Strategy for Self-Hosted Compliance Systems
If your ISMS runs self-hosted, you bear the responsibility for data backup. This article shows you how to build a backup strategy for database and ...
From the Cloud to Your Own Server: ISMS Migration Without Data Loss
More and more companies are switching from cloud ISMS solutions to self-hosted systems. Reasons range from uncontrollable cost increases and compli...
ISMS Without Cloud Dependency: Why Offline Capability Is Not a Relic
Your auditor is on-site, the Wi-Fi goes down, and your cloud ISMS is unreachable. Or your production environment deliberately has no internet acces...
Digital Sovereignty for SMEs: More Than a Political Buzzword
Digital sovereignty sounds like EU summits and position papers. But behind it lies a very concrete question for every company: who controls your da...
ISMS for MSPs: Why Self-Hosted Per Customer Is the Better Architecture
Multi-tenancy sounds efficient — until a single breach affects all customer data. For Managed Service Providers offering ISMS as a service, one ins...
Encrypting ISMS Data: At Rest, In Transit, and In Backups
ISMS data is among the most sensitive information in any organization: vulnerability analyses, risk registers, audit reports. This article shows ho...
Creating a Recovery Plan: Guide with Template for SMEs
A recovery plan defines how you systematically bring business operations back online after an outage. This article shows you the structure, explain...
Conducting a Business Impact Analysis (BIA): Evaluating Business Processes
The Business Impact Analysis identifies your critical business processes and assesses the impact of an outage. This article shows you how to conduc...
IT Emergency Handbook: Structure, Content, and PDF Template
The IT emergency handbook bundles all the information you need in an emergency: escalation chains, contact lists, reporting paths, and response pla...
Planning and Conducting a Tabletop Exercise: How to Test Your Emergency Plan
A tabletop exercise tests your emergency plan without touching any systems. Participants walk through a scenario at the table and uncover gaps that...
Backup Strategy and Restore Tests: Because Backups Alone Are Not Enough
A backup without a restore test is a gamble. This article explains the 3-2-1 rule, backup types, retention periods, immutable backups against ranso...
Conducting an Internal ISMS Audit: Planning, Checklist, and Report
An internal audit is not a tedious formality — it is your most powerful tool for finding weaknesses in the ISMS before an external auditor does. Th...
Management Review per ISO 27001: Agenda, KPIs, and Minutes
The management review is the moment when top management puts its ISMS to the test. Not the IT department, not the ISO — top management. This articl...
Evaluating Audit Findings and Deriving Actions
An audit finding is just the beginning. The real value emerges only when you correctly assess the finding, analyze the root cause, and define a cor...
Creating a Record of Processing Activities (ROPA) per Art. 30 DSGVO (GDPR)
A record of processing activities per Art. 30 DSGVO (GDPR) is mandatory for almost every organization. This article shows you which details are req...
Documenting Technical and Organizational Measures (TOMs)
TOMs per Art. 32 DSGVO (GDPR) are the backbone of any data protection documentation. This article explains the 8 classic TOM categories, provides c...
Data Processing Agreements: How to Review DPAs and Assess Service Providers
A DPA (Data Processing Agreement) is quickly signed but rarely thoroughly reviewed. This article shows you when data processing on behalf of a cont...
Creating an Access Control Concept: Roles, Permissions, and Approval Workflow
An access control concept defines who may access which systems and data. Without it, there is no control over which employees actually hold which p...
User Lifecycle: Managing Onboarding, Offboarding, and Role Changes
When a new employee starts, they need access to all relevant systems on day one. When someone leaves the company, all accounts must be deactivated ...
IT Asset Management for the ISMS: Inventory, Criticality, and Classification
An ISMS without an asset inventory is like an insurance policy without knowing the insured objects. This article shows you how to build a complete ...
Protection Needs Assessment: Evaluating Confidentiality, Integrity, and Availability
The protection needs assessment is the link between the asset inventory and the risk assessment. This article explains the BSI methodology, the thr...
Building a Security Awareness Program: What Employees Really Need to Know
Technical safeguards alone are not enough when employees click on phishing emails or write passwords on sticky notes. A well-designed security awar...
Training Records in the ISMS: What Must Be Documented
Conducting training is one thing. Documenting it so that the auditor is satisfied and the records are still traceable three years later is another....
Ransomware Attack: Immediate Response, Communication, and Recovery
When ransomware strikes, every minute counts. The decisions made in the first half hour determine whether damage stays contained or the entire orga...
Phishing Detection and Reporting: A Practical Guide for Employees and IT
Phishing is the number one attack vector, and attacks are becoming increasingly sophisticated. This practical guide shows how employees can reliabl...
Implementing Multi-Factor Authentication (MFA): Strategy, Rollout, and User Adoption
MFA is one of the most effective defenses against compromised credentials and is listed as one of the ten minimum measures under NIS2. Yet many org...
Network Segmentation for SMEs: Why and How to Partition Your Network
A flat network is like a building without fire doors: once an attacker is in, they can move freely. Network segmentation limits the blast radius, p...
Patch Management for Mid-Market Companies: Process, Prioritization, and Automation
Unpatched systems are the wide-open barn door of IT security. Yet many mid-market companies struggle with a structured patch process: too many syst...
Email Security: Setting Up SPF, DKIM, DMARC, and Encryption Correctly
Email is the most common attack vector for cyberattacks on businesses. Phishing, spoofing, and business email compromise can be significantly thwar...
Zero Trust for Mid-Market Companies: Implementing the Principles Without an Enterprise Budget
Zero Trust is not a product you buy but an architectural principle you implement step by step. Even without a six-figure budget, you can embed the ...
Secure Remote Work: VPN, Endpoint Security, and Policies for Home Offices
Home offices and remote work are part of everyday life, but many companies' security concepts are still designed for the office. This article cover...
Encryption in the Enterprise: What, Where, and How to Encrypt
Encryption is one of the ten NIS2 minimum measures and a central building block of every ISMS. But what exactly needs to be encrypted, which algori...
Securing Active Directory: The 10 Most Important Measures
Active Directory is the heart of virtually every Windows environment and therefore the primary target in cyberattacks. Whoever controls AD controls...
Logging and Monitoring: What You Should Log and Why
Without logs, you're blind. Without monitoring, you're deaf. And without both, you only find out something happened when it's too late. This articl...
NIS2 for IT Service Providers and MSPs: The Dual Role as Affected Party and Advisor
IT service providers and Managed Service Providers face a unique challenge under NIS2: They are directly affected and must simultaneously support t...
NIS2 for Mechanical Engineering and Manufacturing
The manufacturing sector is among those regulated by NIS2 through Annex II. For mechanical engineers, this means: OT security, IT/OT convergence, a...
NIS2 for Logistics and Transportation: Requirements and Implementation
Transport and logistics are among the sectors of high criticality under NIS2 (Annex I). Freight forwarders, logistics centers, and transportation c...
NIS2 for Healthcare: Hospitals, Laboratories, and Medical Technology
Healthcare is classified as a sector of high criticality under NIS2. Hospitals, laboratories, pharmaceutical companies, and medical device manufact...
NIS2 for Energy Suppliers and Municipal Utilities
Energy is classified as a sector of high criticality under NIS2 and is therefore subject to the strictest requirements. For municipal utilities and...
TISAX Certification: Requirements, Process, and Assessment for Automotive Suppliers
TISAX is the information security standard of the automotive industry and a prerequisite for working with OEMs like VW, BMW, or Mercedes. This arti...
IT Security for Skilled Trades and Small Businesses Under 50 Employees
Even without NIS2 obligations, skilled trades and small businesses face daily cyber threats. Ransomware hits a small electrical contractor just as ...
Choosing ISMS Software: What Matters in the Evaluation
Excel spreadsheets, SharePoint folders, or a specialized ISMS tool? Anyone running an information security management system will sooner or later f...
Self-Hosted vs. Cloud: Data Sovereignty in Compliance Software
Compliance software manages the most sensitive data in an organization: risk assessments, security vulnerabilities, audit results. Where this data ...
What Does an ISMS Cost? Realistically Estimating Budget, Effort, and ROI
Building an ISMS costs money, time, and attention. But how much exactly? This article breaks down the cost factors, provides realistic budget range...
CISO: External or Internal? Pros and Cons for Mid-Market Companies
The Information Security Officer is the central figure in the ISMS. But does it have to be a dedicated employee, or can an external service provide...
ISO 27001 Certification: Process, Costs, and Effort for SMEs
ISO 27001 certification is achievable for SMEs when the process is clear and costs are planned realistically. This article explains the entire cert...
Cybersecurity as a Competitive Advantage: Why Customers Are Asking
Cybersecurity has long ceased to be a purely IT topic. More and more customers and clients demand verifiable evidence before awarding contracts. Or...
NIS2 Implementation on a Limited Budget: Setting Pragmatic Priorities
No dedicated security team, no six-figure budget, and still need to become NIS2-compliant? It's possible. This article shows how to prioritize the ...
ISMS Documentation: Which Documents You Actually Need (and Which You Don't)
Documentation is the backbone of every ISMS. But between mandatory documents per ISO 27001, recommended evidence, and unnecessary paperwork, there'...
NIS2 Checklist: All Requirements at a Glance
NIS2 confronts organizations with a multitude of requirements: registration, ten minimum measures, reporting obligations, governance, supply chain ...
Securing Microsoft 365: The 15 Most Important Security Settings
Microsoft 365 is run out-of-the-box in most companies, yet the default settings are far from secure. This article describes the 15 most important s...