Blog
Knowledge & Practice
Practical knowledge for CISOs, IT managers, and executives
NIS2 for SMEs: What You Need to Know and What to Do Now
Since December 2025, NIS2 applies in Germany as well. For mid-market companies with 50 or more employees or over EUR 10 million in revenue, this me...
NIS2 Initial Report to the BSI: Content, Deadlines, and Template
The NIS2 initial report must reach the BSI within 24 hours. This article shows you what mandatory information the report must contain, when an inci...
NIS2 Reporting Deadlines at a Glance: 24h, 72h, 1 Month — What Is Due When
NIS2 requires three reporting stages for security incidents: initial report within 24 hours, update after 72 hours, and final report after one mont...
NIS2 Fines: Who Is Liable and How High Are the Penalties?
NIS2 brings significant fines and personal liability for management. Up to EUR 10 million or 2% of global annual revenue for violations. We explain...
NIS2 vs. ISO 27001: Differences, Similarities, and How Both Fit Together
NIS2 is a law, ISO 27001 is a standard. Both require an ISMS, but with different focus areas. This article shows you where requirements overlap, wh...
Which Frameworks Do I Need? NIS2, ISO 27001, BSI IT-Grundschutz, TISAX Compared
Six frameworks, six different approaches — but which one do you actually need? This article compares NIS2, ISO 27001, BSI IT-Grundschutz, TISAX, BS...
Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
Building an ISMS sounds like a mammoth project. This guide shows you step by step how to introduce an information security management system based ...
Defining the Scope: What Belongs in the ISMS and What Does Not?
The scope is the foundation of every ISMS. If you define it incorrectly, you are building on sand. This article shows you step by step how to prope...
Creating a Statement of Applicability (SoA): Selecting and Justifying Controls
The SoA is the centerpiece of your ISMS. Learn how to systematically evaluate ISO 27001 Annex A controls, justify applicability, and document imple...
Key ISMS Roles: ISM, CISO, Risk Owner – Who Does What?
ISM, CISO, risk owner, asset owner – an ISMS depends on clearly assigned responsibilities. This article shows which roles you need, what each role ...
DDoS Attack Scenario: When Your Website and Services Are No Longer Reachable
The website is down, the customer portal is unresponsive, the phone system is glitching. A DDoS attack takes your public-facing services offline, a...
NIS2 for Food Manufacturers and Wholesale Distributors
The food industry is classified as a sector of high criticality under NIS2. Cold chains, ERP systems, inventory management, and HACCP interfaces cr...
NIS2 for the Chemical Industry: Specifics and OT Security
The chemical industry faces unique challenges under NIS2: process control systems that run 24/7, the Major Accident Ordinance (Störfall-Verordnung)...
NIS2 for Waste Management and Disposal Companies
Waste management is a regulated sector under NIS2 as part of critical infrastructure. Logistics IT, route planning, weighbridge systems, and electr...
NIS2 for Data Centers and Cloud Providers
Data centers and cloud providers are listed under NIS2 as digital infrastructure in Annex I and thus regulated as essential entities. BSI C5, physi...
NIS2 for Postal and Courier Service Providers
Postal and courier services are listed as a sector of high criticality in NIS2 Annex I. Tracking systems, logistics IT, parcel lockers, and sorting...
NIS2 for Water Suppliers and Wastewater Operators
Drinking water supply and wastewater disposal are listed as sectors of high criticality in NIS2 Annex I. SCADA systems, remote control technology, ...
NIS2 for Research Institutions and Universities
Research institutions face unique NIS2 challenges: open networks designed to enable collaboration, intellectual property that is highly attractive ...
ISO 27001 A.5.1: Setting Up Information Security Policies the Right Way
Control A.5.1 forms the foundation of the entire Annex A: Without a documented information security policy and subordinate topic-specific policies,...
ISO 27001 A.5.23: Using Cloud Services Securely
Control A.5.23 is one of the new controls in ISO 27001:2022 and addresses a topic that is already everyday reality for most companies: the use of c...
Writing an Information Security Policy: Structure, Content, and Example
The information security policy is the foundation of every ISMS. This guide shows you the structure, mandatory content per ISO 27001, sample wordin...
ISO 27001 A.5.29-30: Business Continuity in the Context of Information Security
Business continuity management and information security are often treated separately, even though they are inseparable. Controls A.5.29 and A.5.30 ...
Creating a Password Policy: Requirements, Example, and Enforcement
A password policy is among the most fundamental documents of any ISMS. This article shows you what BSI and NIST currently recommend, how to formula...
Mobile Device Usage Policy (BYOD/MDM)
Mobile devices are indispensable in today's work environment but bring significant security risks. This article explains the differences between BY...
Access Control Policy: Physical and Logical
Physical and logical access control form the foundation of every ISMS. This article explains the difference between physical and logical controls, ...
Policy Lifecycle: From Creation to Retirement
Writing policies is only the beginning. To remain effective, they need a defined lifecycle: drafting, review, approval, publication, acknowledgment...
Risk Assessment in the ISMS: Methodology, Matrix, and Practical Example
The risk assessment is the heart of every ISMS. This article shows you step by step how to conduct a qualitative risk assessment with a 5x5 matrix,...
Risk Treatment: Mitigate, Accept, Transfer, or Avoid
After the risk assessment comes the decisive question: What now? This article explains the four treatment options in an ISMS, demonstrates with pra...
Top 10 Information Security Risks for Mid-Market Companies
Which information security risks hit SMEs the hardest? This article analyzes the ten most common risks with likelihood, typical impact, and concret...
Detecting, Assessing, and Reporting a Security Incident - The Complete Process
Ransomware encrypts the network, an employee clicks a phishing link, the monitoring system raises an alarm - and then? This article describes the c...
ISMS in 6 Months: A Realistic Experience Report
A mid-market IT service provider with 100 employees builds its ISMS. This fictional but realistic project report shows month by month what worked, ...
From Excel ISMS to Tool: Migration Guide Without Data Loss
You're managing your ISMS in Excel spreadsheets and noticing it no longer scales? This migration guide shows you step by step how to cleanly transf...
Your First 100 Days as a CISO (Information Security Officer): Priorities, Quick Wins, and Pitfalls
You've just taken on the role of CISO (Information Security Officer) and wondering where to start? This article gives you a concrete roadmap for yo...
Reporting a GDPR Data Breach: When, How, and to Whom
72 hours. That is how much time you have to report a notifiable data breach to the supervisory authority. This article explains when a data breach ...
Data Sovereignty in Your ISMS: Why Your Risk Register Doesn't Belong in the Cloud
Your ISMS contains the most sensitive data in your organization: vulnerabilities, risk registers, incident details, audit reports. Entrusting this ...
CLOUD Act, Schrems II, and Your ISMS: What You Need to Know About US Government Data Access
The CLOUD Act gives US authorities access to data held by US providers, regardless of where the servers are located. Schrems II blew up the foundat...
Vendor Lock-in in Compliance Software: How to Keep Control of Your ISMS
Proprietary data formats, missing export functions, opaque contract terms: vendor lock-in is a real risk in compliance software with costly consequ...
SaaS vs. Self-Hosted: The True Cost of Compliance Software Over 5 Years
License costs are just the tip of the iceberg. This article calculates what SaaS compliance tools and self-hosted solutions actually cost over five...
ISMS Audit and Data Storage: Why the Auditor Wants to Know Where Your Data Resides
In the certification audit, the auditor asks not only about policies and processes but also about where your ISMS data actually resides. Cloud sub-...
Self-Hosted ISMS with Docker: Setup, Backup, and Maintenance in Practice
ISMS Lite runs with a single command on your own server. This article shows you the complete setup with Docker Compose, explains the architecture b...
GDPR-Compliant ISMS Hosting: Requirements for Storing Your Compliance Data
An ISMS tool processes personal data: names of risk owners, training participants, auditors. This brings it under the DSGVO (GDPR). This article sh...
Your Company's Crown Jewels: Why ISMS Data Needs Special Protection
Your ISMS documents every vulnerability, every open control status, and every risk assessment in your organization. For an attacker, that is more v...
Creating an Incident Response Plan: Template and Practical Example
An incident response plan describes who does what during a security incident, in what order, and with what resources. This article provides the com...
NIS2 and Data Sovereignty: What the Directive Says About Controlling Your Data
NIS2 demands not only technical security, but also sets requirements for control over your data and supply chains. This article shows how data sove...
Securing ISMS Data: Backup Strategy for Self-Hosted Compliance Systems
If your ISMS runs self-hosted, you bear the responsibility for data backup. This article shows you how to build a backup strategy for database and ...
From the Cloud to Your Own Server: ISMS Migration Without Data Loss
More and more companies are switching from cloud ISMS solutions to self-hosted systems. Reasons range from uncontrollable cost increases and compli...
ISMS Without Cloud Dependency: Why Offline Capability Is Not a Relic
Your auditor is on-site, the Wi-Fi goes down, and your cloud ISMS is unreachable. Or your production environment deliberately has no internet acces...
Digital Sovereignty for SMEs: More Than a Political Buzzword
Digital sovereignty sounds like EU summits and position papers. But behind it lies a very concrete question for every company: who controls your da...
ISMS for MSPs: Why Self-Hosted Per Customer Is the Better Architecture
Multi-tenancy sounds efficient — until a single breach affects all customer data. For Managed Service Providers offering ISMS as a service, one ins...
Encrypting ISMS Data: At Rest, In Transit, and In Backups
ISMS data is among the most sensitive information in any organization: vulnerability analyses, risk registers, audit reports. This article shows ho...
Creating a Recovery Plan: Guide with Template for SMEs
A recovery plan defines how you systematically bring business operations back online after an outage. This article shows you the structure, explain...
Conducting a Business Impact Analysis (BIA): Evaluating Business Processes
The Business Impact Analysis identifies your critical business processes and assesses the impact of an outage. This article shows you how to conduc...
IT Emergency Handbook: Structure, Content, and PDF Template
The IT emergency handbook bundles all the information you need in an emergency: escalation chains, contact lists, reporting paths, and response pla...
Planning and Conducting a Tabletop Exercise: How to Test Your Emergency Plan
A tabletop exercise tests your emergency plan without touching any systems. Participants walk through a scenario at the table and uncover gaps that...
Backup Strategy and Restore Tests: Because Backups Alone Are Not Enough
A backup without a restore test is a gamble. This article explains the 3-2-1 rule, backup types, retention periods, immutable backups against ranso...
Conducting an Internal ISMS Audit: Planning, Checklist, and Report
An internal audit is not a tedious formality — it is your most powerful tool for finding weaknesses in the ISMS before an external auditor does. Th...
Management Review per ISO 27001: Agenda, KPIs, and Minutes
The management review is the moment when top management puts its ISMS to the test. Not the IT department, not the ISO — top management. This articl...
Evaluating Audit Findings and Deriving Actions
An audit finding is just the beginning. The real value emerges only when you correctly assess the finding, analyze the root cause, and define a cor...
Creating a Record of Processing Activities (ROPA) per Art. 30 DSGVO (GDPR)
A record of processing activities per Art. 30 DSGVO (GDPR) is mandatory for almost every organization. This article shows you which details are req...
Documenting Technical and Organizational Measures (TOMs)
TOMs per Art. 32 DSGVO (GDPR) are the backbone of any data protection documentation. This article explains the 8 classic TOM categories, provides c...
Data Processing Agreements: How to Review DPAs and Assess Service Providers
A DPA (Data Processing Agreement) is quickly signed but rarely thoroughly reviewed. This article shows you when data processing on behalf of a cont...
Creating an Access Control Concept: Roles, Permissions, and Approval Workflow
An access control concept defines who may access which systems and data. Without it, there is no control over which employees actually hold which p...
User Lifecycle: Managing Onboarding, Offboarding, and Role Changes
When a new employee starts, they need access to all relevant systems on day one. When someone leaves the company, all accounts must be deactivated ...
IT Asset Management for the ISMS: Inventory, Criticality, and Classification
An ISMS without an asset inventory is like an insurance policy without knowing the insured objects. This article shows you how to build a complete ...
Protection Needs Assessment: Evaluating Confidentiality, Integrity, and Availability
The protection needs assessment is the link between the asset inventory and the risk assessment. This article explains the BSI methodology, the thr...
Building a Security Awareness Program: What Employees Really Need to Know
Technical safeguards alone are not enough when employees click on phishing emails or write passwords on sticky notes. A well-designed security awar...
Training Records in the ISMS: What Must Be Documented
Conducting training is one thing. Documenting it so that the auditor is satisfied and the records are still traceable three years later is another....
Ransomware Attack: Immediate Response, Communication, and Recovery
When ransomware strikes, every minute counts. The decisions made in the first half hour determine whether damage stays contained or the entire orga...
Phishing Detection and Reporting: A Practical Guide for Employees and IT
Phishing is the number one attack vector, and attacks are becoming increasingly sophisticated. This practical guide shows how employees can reliabl...
Implementing Multi-Factor Authentication (MFA): Strategy, Rollout, and User Adoption
MFA is one of the most effective defenses against compromised credentials and is listed as one of the ten minimum measures under NIS2. Yet many org...
Network Segmentation for SMEs: Why and How to Partition Your Network
A flat network is like a building without fire doors: once an attacker is in, they can move freely. Network segmentation limits the blast radius, p...
Patch Management for Mid-Market Companies: Process, Prioritization, and Automation
Unpatched systems are the wide-open barn door of IT security. Yet many mid-market companies struggle with a structured patch process: too many syst...
Email Security: Setting Up SPF, DKIM, DMARC, and Encryption Correctly
Email is the most common attack vector for cyberattacks on businesses. Phishing, spoofing, and business email compromise can be significantly thwar...
Zero Trust for Mid-Market Companies: Implementing the Principles Without an Enterprise Budget
Zero Trust is not a product you buy but an architectural principle you implement step by step. Even without a six-figure budget, you can embed the ...
Secure Remote Work: VPN, Endpoint Security, and Policies for Home Offices
Home offices and remote work are part of everyday life, but many companies' security concepts are still designed for the office. This article cover...
Encryption in the Enterprise: What, Where, and How to Encrypt
Encryption is one of the ten NIS2 minimum measures and a central building block of every ISMS. But what exactly needs to be encrypted, which algori...
Securing Active Directory: The 10 Most Important Measures
Active Directory is the heart of virtually every Windows environment and therefore the primary target in cyberattacks. Whoever controls AD controls...
Logging and Monitoring: What You Should Log and Why
Without logs, you're blind. Without monitoring, you're deaf. And without both, you only find out something happened when it's too late. This articl...
NIS2 for IT Service Providers and MSPs: The Dual Role as Affected Party and Advisor
IT service providers and Managed Service Providers face a unique challenge under NIS2: They are directly affected and must simultaneously support t...
NIS2 for Mechanical Engineering and Manufacturing
The manufacturing sector is among those regulated by NIS2 through Annex II. For mechanical engineers, this means: OT security, IT/OT convergence, a...
NIS2 for Logistics and Transportation: Requirements and Implementation
Transport and logistics are among the sectors of high criticality under NIS2 (Annex I). Freight forwarders, logistics centers, and transportation c...
NIS2 for Healthcare: Hospitals, Laboratories, and Medical Technology
Healthcare is classified as a sector of high criticality under NIS2. Hospitals, laboratories, pharmaceutical companies, and medical device manufact...
NIS2 for Energy Suppliers and Municipal Utilities
Energy is classified as a sector of high criticality under NIS2 and is therefore subject to the strictest requirements. For municipal utilities and...
TISAX Certification: Requirements, Process, and Assessment for Automotive Suppliers
TISAX is the information security standard of the automotive industry and a prerequisite for working with OEMs like VW, BMW, or Mercedes. This arti...
IT Security for Skilled Trades and Small Businesses Under 50 Employees
Even without NIS2 obligations, skilled trades and small businesses face daily cyber threats. Ransomware hits a small electrical contractor just as ...
Choosing ISMS Software: What Matters in the Evaluation
Excel spreadsheets, SharePoint folders, or a specialized ISMS tool? Anyone running an information security management system will sooner or later f...
Self-Hosted vs. Cloud: Data Sovereignty in Compliance Software
Compliance software manages the most sensitive data in an organization: risk assessments, security vulnerabilities, audit results. Where this data ...
What Does an ISMS Cost? Realistically Estimating Budget, Effort, and ROI
Building an ISMS costs money, time, and attention. But how much exactly? This article breaks down the cost factors, provides realistic budget range...
CISO: External or Internal? Pros and Cons for Mid-Market Companies
The Information Security Officer is the central figure in the ISMS. But does it have to be a dedicated employee, or can an external service provide...
ISO 27001 Certification: Process, Costs, and Effort for SMEs
ISO 27001 certification is achievable for SMEs when the process is clear and costs are planned realistically. This article explains the entire cert...
Cybersecurity as a Competitive Advantage: Why Customers Are Asking
Cybersecurity has long ceased to be a purely IT topic. More and more customers and clients demand verifiable evidence before awarding contracts. Or...
NIS2 Implementation on a Limited Budget: Setting Pragmatic Priorities
No dedicated security team, no six-figure budget, and still need to become NIS2-compliant? It's possible. This article shows how to prioritize the ...
ISMS Documentation: Which Documents You Actually Need (and Which You Don't)
Documentation is the backbone of every ISMS. But between mandatory documents per ISO 27001, recommended evidence, and unnecessary paperwork, there'...
NIS2 Checklist: All Requirements at a Glance
NIS2 confronts organizations with a multitude of requirements: registration, ten minimum measures, reporting obligations, governance, supply chain ...
Writing a Security Concept: Structure and Template for SMEs
An IT security concept describes how an organization protects its information assets. This article explains the difference between concepts, polici...
IT Emergency Card: The Most Important Contacts and Steps on a Single Page
The IT emergency card is the simplest and most effective tool in emergency management: a laminated card at the workplace with the most important co...
Supply Chain Attacks: How to Protect Yourself from Compromised Suppliers
SolarWinds, Kaseya, Log4j — the most devastating cyberattacks of recent years didn't come through the front door but via trusted suppliers and soft...
Social Engineering in the Enterprise: Methods, Examples, and Countermeasures
Social engineering is the most effective attack vector against organizations because it manipulates people, not technology. From CEO fraud to prete...
Insider Threats: When the Danger Comes from Within
Not every threat comes from outside. Insider threats from employees, contractors, or compromised accounts are among the most difficult security ris...
AI and Cybersecurity: Opportunities and New Attack Vectors
Artificial intelligence is fundamentally changing the cybersecurity landscape — on both sides. Attackers use AI for convincingly realistic phishing...
Cloud Security for SMEs: The Most Common Misconfigurations and How to Avoid Them
Most cloud security incidents are not caused by sophisticated attacks but by misconfigurations. Open storage accounts, missing MFA, overly broad pe...
Explaining IT Security to Executive Management: How to Get Budget and Buy-In
Many ISOs and IT managers don't fail because of missing security concepts — they fail because they can't convince executive management. Those who c...
Communicating Security Incidents: Internally, Externally, and to the Press
When a security incident occurs, communication largely determines the extent of the damage. Communicating too late, too vaguely, or to the wrong au...
Working with External Consultants: How to Make Your ISMS Project a Success
External consultants can significantly accelerate building an ISMS. But they can also steer the project in the wrong direction if the collaboration...
Information Security in Onboarding: Engaging New Employees from Day 1
New employees are especially vulnerable to security mistakes in their first weeks. At the same time, this phase shapes the habits that persist for ...
Creating a Cryptography Policy: Algorithms, Key Lengths, and Lifecycle
Cryptography is one of the ten NIS2 minimum measures and also one of the topics where companies most frequently stumble. Not because the technology...
Building Vulnerability Management: Scanners, Prioritization, and Patch Workflow
Vulnerabilities in software and systems are part of everyday IT life. The problem is rarely that vulnerabilities exist, but that they are detected ...
Data Backup According to BSI: The 3-2-1-1-0 Principle in Practice
Almost everyone in IT knows the 3-2-1 backup rule. But the original rule is no longer sufficient to defend against current threats like ransomware....
Supplier Assessment with Security Questionnaires: Template and Approach
NIS2 explicitly requires supply chain security. For most mid-market companies, this means: you must systematically assess your IT service providers...
Data Deletion Policy Under DSGVO (GDPR): Retention Periods, Deletion Rules and Implementation
A data deletion policy is not optional — it is a direct obligation under the DSGVO (GDPR). This article explains which retention periods apply, how...
Change Management in the ISMS: Steering Changes Safely
Every change to IT systems carries risks for information security. This article shows how to build a pragmatic change management process for your I...
ISMS Glossary: All Key Terms from A to Z
From Annex A to Zero Trust: this glossary explains over 50 key terms related to information security, ISMS and ISO 27001. With cross-references to ...
The CIA Triad Explained: Confidentiality, Integrity and Availability in Practice
Confidentiality, integrity and availability form the foundation of every information security strategy. This article explains the three protection ...
The PDCA Cycle in the ISMS: Plan-Do-Check-Act in Practice
The PDCA cycle is the backbone of every living ISMS. This article explains the four phases with concrete ISMS relevance, follows a risk through the...
Securing Microsoft 365: The 15 Most Important Security Settings
Microsoft 365 is run out-of-the-box in most companies, yet the default settings are far from secure. This article describes the 15 most important s...
Conditional Access in Entra ID: Policies for SMEs
Conditional Access is the heart of access control in Microsoft 365 and Entra ID. Yet many companies shy away from setup because they fear lockouts....
Microsoft Defender for Business: Is Switching from a Traditional Antivirus Worth It?
Traditional antivirus scanners detect known malware, but they are blind to fileless attacks, living-off-the-land techniques and zero-day exploits. ...
Securing SharePoint and OneDrive: Sharing, DLP, and Data Classification
SharePoint and OneDrive are the central data stores in Microsoft 365, yet the default settings allow extensive external sharing without any control...
Teams Security: Guest Access, External Sharing, and Compliance
Microsoft Teams has become the central communication platform—and with it, the place where sensitive business information is exchanged. Yet the def...
Azure Security Basics: NSGs, Key Vault, and Security Center for SMEs
More and more mid-market companies are running workloads in Azure, but security configuration often falls by the wayside. This article explains the...
Securing Exchange Online: Anti-Phishing, Safe Links, and Mail Flow Rules
Email remains the number one attack vector: over 90 percent of all successful cyberattacks begin with a phishing email. Exchange Online offers exte...
Microsoft Secure Score: What It Measures and How to Improve It
The Microsoft Secure Score summarizes the security posture of your M365 tenant in a single number and delivers prioritized improvement recommendati...
Intune for Beginners: Device Management Without Enterprise Complexity
Microsoft Intune manages endpoints and protects corporate data, yet many mid-market companies shy away from its perceived complexity. This article ...
Ransomware Scenario: Friday Evening, 6 PM – A Step-by-Step Walkthrough
It's Friday evening, most employees are gone, and suddenly the systems are down. Ransomware has struck. This article walks you through the incident...
CEO Fraud Scenario: When the Boss Orders a Wire Transfer by Email
An urgent email from the CEO, a confidential wire transfer, time pressure. CEO Fraud is one of the most dangerous social engineering methods becaus...
Data Breach Scenario: Customer Data on the Darknet – What to Do Now
An external tip, a darknet discovery, customer data in circulation. When a data breach comes to light, a race against time begins: DSGVO (GDPR) rep...
Compromised Admin Account Scenario: Detecting and Stopping Lateral Movement
An attacker has taken over an admin account and is moving undetected through your network. Lateral movement is the most dangerous phase of an attac...
Supplier Hack Scenario: Your IT Service Provider Has Been Compromised
Your Managed Service Provider reports a compromise. Suddenly you have not been hacked yourself, but the service provider who has admin access to yo...