THINK SAFE. THINK ICS.
ISMS for KRITIS - audit-proof, efficient, legally compliant
Is your IT service provider asking for ISO 27001? Do your customers expect proof? We can help before things get complicated.
Audit-capable ISMS in accordance with ISO 27001/B3S - including verification management
CISOaaS: our experts support you in setting up your ISMS
From risk analysis to management review: We deliver auditable, structured documentation
Target group-specific awareness training at all levels
THINK SAFE. THINK ICS.
An ISMS is like a safety net - but one that you can build yourself.
We accompany you from the start to audit readiness - transparently, efficiently and with little effort for your team.
Do you operate a critical infrastructure and are under pressure? The BSI Act (§8a BSIG) obliges you to take technical and organizational measures to protect your systems - including regular verification obligations. The NIS2 directive now also adds liability at management level. What you need now is a clear, efficient roadmap for KRITIS security management - structured, standard-compliant and feasible.
What is an ISMS - and why is it essential?
An ISMS (Information Security Management System) is the structured framework with which you implement and verify information security in your organization. It implementsthe central protection goals according to the CIA principle:
Confidentiality/
Confidentiality
Integrity/
Integrity
Availability/
Availability
Technical security (IT security) is only one aspect of meeting the protection goals. Organizational measures such as guidelines and specifications also create a solid basis for sustainably improving information security.
Project structure: How your ISMS project with ICS works
We accompany you from the start to audit readiness - transparently, efficiently and with little effort for your team:
-
1. inventory
-
2. risk analysis
-
3. measures & implementation
-
4. awareness & audit
Recording the status quo of the ISMS in comparison with the standard and penetration test
- ISMS management structure: responsibilities, suppliers and partners, dealing with security incidents, awareness
- Optional - Physical penetration test: Review of perimeter and building protection 1
- Optional - Internal penetration test: Review of network security1
1 Savings through synergy effects of 20% compared to the individual packages
You receive a high-quality ISMS GAP analysis.
Creation of asset register and holistic corporate structure
- Recording of all business processes and protected objects
Holistic risk analysis according to BSI standard
- Determination of protection requirements for all assets, assessment of all elementary threats to your company
- Risk assessment and visualization before and after measures
You receive a complete risk analysis report.
Catalog of measures
- Prioritized list of measures from the risk analysis for the gradual improvement of the ISMS
- Support for the company during implementation, in particular of technical and organizational measures
- Optional: verification of the effectiveness of the measures through penetration testing 1
Support in setting up the ISMS standard
- Creation of the necessary documentation for the ISMS Reduction of risks
You will receive a detailed catalog of measures & ISMS documents.
Awareness training
- Provision of training documents and optional: implementation of awareness training courses
ISMS control
- Conducting an internal audit and a management review
- Accompaniment of the external certification audit
You will receive instructive training documents & an internal audit report.
Your added value with ICS
More efficiency:
20 % synergy effect through combined ISMS + PenTest + training package
CISOaaS available:
Our experts take on your ISMS role on a permanent or temporary basis
Future-proof:
Your ISMS is 95% NIS2-compatible, and we can optionally cover the remaining 5% with NIS2 consulting
Fast & scalable:
Ideal for SMEs, operator associations and large organizations
Customer references
Complete ISMS support up to successful ISO 27001 audit readiness
(Q2/2023)
ISMS introduction & sustainable support in the healthcare sector
(Q3/2024)
Risk management is at the heart of a functioning ISMS
With SECIRA, we offer you a tool for semi-automated, continuous risk management that detects security gaps before they become a problem. Together with our partners, we provide you with a complete ISMS suite from a single source.
Synetics GmbH
CMDB with i-doit for a structured, dynamic value directory.
Achtwerk GmbH & Co. KG
System for attack detection (SzA) with IRMA for BSIG §8a compliant use.
ISMS in practice: Systematic security - for people who bear responsibility
At the German Red Cross, the focus is on people - also when it comes to information security. Together with ICS, an ISMS was set up to protect what matters: confidential data, critical processes and the trust of society.
FAQ - Frequently asked questions
What is an ISMS?
An information security management system (ISMS) is a structured approach to permanently protect information in a company. It regulates organizational and technical measures to ensure the confidentiality, integrity and availability of data - based on normative standards such as ISO 27001, B3S or IT-Grundschutz.
Why is an ISMS mandatory for KRITIS operators?
KRITIS companies are subject to the BSI Act. They are obliged to implement appropriate security measures to protect their information security (Section 8a BSIG) and to provide evidence of these on a regular basis.
Why OT security is more important today than ever before
The increasing networking of industrial plants makes operational technology (OT) an attractive target for cyber attacks. Attacks on control and production systems endanger not only data, but also security, availability and human lives. OT security protects critical infrastructures, secures production processes and is indispensable for the resilience of modern industrial companies.
What is the difference between IT security and information security?
IT security is a sub-aspect of information security in which technical measures are taken to establish the protection goals of information security. Information security is more than just technology. It is the set of all technical and organizational measures to increase the level of protection in the company.
Do my suppliers have to fulfill ISMS requirements?
Information security management is a comprehensive process. Supplier management, for example, explicitly addresses requirements for dealing with companies outside your own company in order to ensure information security across the entire process chain. We support you in setting up a supplier management system.
What is the CIA principle?
The CIA principle describes the three central protection goals of information security:
-
C - Confidentiality: Protection of sensitive information from unauthorized access, e.g. through encryption.
-
I - Integrity: Ensuring that data remains complete and unchanged - for example through digital signatures or checksums.
-
A - Availability: Systems and information must be reliably available, e.g. through redundancies or emergency concepts.
The CIA principle forms the basis of every ISMS - all measures within the framework of KRITIS security management contribute to at least one of these three objectives.
What if we don't have an information security officer internally?
Then we take over - with CISOaaS and an experienced team of consultants who will accompany you until you are ready for certification, also as an external informationsecurity officerif required.
What does an ISMS project with ICS involve?
What is CISOaaS and how does it help me?
CISO as a Service (CISOaaS) is our offer for companies without an internal information security officer. You receive an experienced ICS CISO as an external consultant - on a permanent or temporary basis, e.g. for project management or audit preparation. Read more about our CISOaaS services here .
How does the risk analysis work?
We record critical business processes and associated assets, evaluate them with regard to potential threats and vulnerabilities, create a risk matrix and derivespecific measures to minimize risks.
Is training part of the ISMS project?
Yes. We offer awareness training for all employees as well as targeted training for IT, management and security officers - including documentation and implementation. Also with regard to NIS2 requirements.
Do all employees need to be trained?
This depends on the requirements placed on the company.Informationsecurityin the ISMS is applied for a scope. Training mustbe provided for this scope.If a company falls under NIS2, for example, this results in a training requirement for the workforce.
What is a penetration test and why is it important?
A penetration test carries out targeted attacks on your systems to identify exploitable vulnerabilities. It helps to identify technical risks at an early stage and prioritize measures.
Read more about our penetrationtestingservices here.
What does attack detection mean (Section 8a (1a) BSIG)?
KRITIS operators must introduce systems for attack detection.These are systems that have been specially developed to continuously and automatically detect, analyze and react to security-relevant events. ICS supports you in the selection, implementation and documentation of such systems.
Can I get ISO 27001 certification from ICS?
ICS is not a certifier. We work with you to set up the information security management system according to your needs.The implementation of the measures can also be done together if desired. We support you on your way to certification maturity.