top of page
NIS-2 Directive
WHO IS AFFECTED BY INFORMATION SECURITY COMPLIANCE?
​

Whereas previously only selected sectors were subject to regulatory requirements (KRITIS, DORA) for information security compliance, the field of affected companies is expanding massively with the introduction of the NIS2 directive. And even companies that are not directly affected by the law themselves will be indirectly forced to comply with the same requirements via the supply chain.

In addition to the legal requirements for cybersecurity, selected industries have long been obliged to comply with standards via industry standards such as VDA TISAX or PCI DSS, which raises the question of how companies should position themselves in this environment.
 

STANDARDS PROVIDE ORIENTATION
​

As diverse as the legal requirements or industry standards may appear at first glance, they are ultimately all based on the same best practices, which describe an Information Security Management System (ISMS) in order to reduce information security risks through relevant controls. The most widespread standard for such an ISMS can be found in ISO standard 27001/27002, which describes organizational and technical control objectives and controls, as well as the organizational anchoring of the ISMS.
 

THE GOAL IS COST OPTIMIZATION
​

The central aspect of an ISMS is information security risk management, which aims to minimize risk costs while taking into account the costs of security measures. It is important to understand that although all standards and laws describe control objectives and controls, they rarely describe their specific design. The basic approach is always that the controls must be appropriate to the specific risk to be avoided. Appropriateness is ultimately measured in EUR, i.e. the cost of a loss event vs. the cost of implementing and operating controls.

From this perspective, the establishment of an ISMS is in the best interest of every company with the aim of optimizing business costs.
 

THE PATH TO COST-OPTIMIZED COMPLIANCE
​

Establishing an ISMS in a company for the first time is typically a multi-year program that must achieve intermediate goals in several stages to bring measurable business benefits as quickly as possible.

The priorities and milestones typically result from the risk and gap analysis. The risk analysis highlights the specific threat scenarios that endanger the company. The gap analysis focuses on the formal implementation level of the controls against the applicable standard and legal requirements, e.g. ISO 27001 and NIS2. Both dimensions together result in a heat map along which the development path of the ISMS and the control implementation can be planned.

Planning the development path and milestones requires a broad understanding of both the more organizationally driven part of the ISMS and the necessary technical controls, which consist of many coordinated building blocks.

The goal is compliance and cybersecurity with simultaneous cost optimization.

 

​

​​​

​

Information Security Compliance
A strategic approach to information security

Our Services

Our Services:

Requirements elicitation:
Gap analysis

Defining the solution architecture

  • We create a gap analysis against security best practices and specific standards

  • Carry out a risk analysis to assess the specific cyber security risks.

  • The result is processed as a heat map of the entire control standard.

  • We create an action plan with prioritization and milestones.

  • Consulting and implementation planning to eliminate audit issues

  • IS policies: creation of company-specific information security guidelines

Project Management

  • Roadmap

  • Project Management

  • Program Management

  • Cost plan

Certificates:

Prince2 (classic & agil)

Scrum Product Owner

Scrum Master

ITIL4

CISSP

Business Analysis

Requirements Engineering

Arrange a consultation appointment:

​

Dr. Johannes Faassen

mobil: +49  170 4168039

 

Contact Us
bottom of page