Our Value Proposition

The threat situation and the requirements for information security are continuously increasing. Adequate protection of information and IT systems without restricting the time-to-market development of the business model are critical to the success of any company.

We advise and support you in all aspects of information security and deliver customized solutions for your company. With the following services (can be booked individually or in combination) we support you in setting up, implementing and maintaining an information security management system (ISMS).

We support you with the following topics individually or in combination:

Quick Start Information Security
Maturity Assessment / Gap Analysis
Creating the necessary  Asset Inventory
Determination of the Protection Needs
ISMS Requirements and Controls from relevant Standards & Catalogs
ISMS Documentation
ISMS Organization & Processes
Risk Management (Risk Identification, Analysis & Evaluation)
Risk Treatment and Measures Management
ISMS Reporting
ISMS Assessment
ISMS Communication, Awareness, Training

Quick Start Information Security

Quick Start Information Security based on Lean42 ISMS (Excel solution integrable into various EAM tools):

  • Initial setup of your information security management system based on ISO 27001 and modernized IT-Grundschutz in 2 half-day workshops (or online meetings).
  • Use Lean42’s experience and templates as a starting point for your ISMS
  • Integration into many EAM, CMDB and other tools possible

Fixed price 15.000 €
plus VAT

Secure a first access with our quick-start package for a fixed price of 15,000 € plus. VAT .:

Quickly and systematically set up information security in a sustainable and manageable way

Maturity-Assessment / GAP-Analysis

  • Identification of the targeted standard requirements / controls (scope / SoA) and determination of the status quo. Collection and analysis of existing relevant documentation, guidelines and other regulations which are used for the gap analysis.
  • Survey of the current status using structured interviews, questionnaires and workshops.
  • Validation of the status quo based on the essential ISO 27001 requirements.
  • Gap analysis with evaluation and prioritization on functional, organizational, process-related and technical levels, including the derivation of needs for action. Documentation of the degree of implementation, those responsible for realization, the measures and the target date for realization as well as risk and expense assessment incl. comments for each control in the SoA excel.
  • Derivation of recommendations for action, i.e. identification of the necessary steps for a successful ISMS implementation, identification of the basic conditions as well as estimation of the expenditure necessary for the implementation.

Creating a succesfull Asset Inventory

Asset management is used to record information and other assets related to information and information-processing facilities, and to create and continuously maintain a register (inventory) of these assets. Asset management is an essential process of any ISMS. It initially provides and updates the asset register as a basis for defining the scope as well as for modeling the system network, and for determining of the protection needs, risk management and defining the required security measures.

We are happy to support you in

  • Analysis of the existing data inventory regarding structural and protection need aspects;
  • Creation of the required asset inventory, identification and documentation of critical assets, determination of asset owners and required maintenance processes for ongoing inventory updates;
  • Definition of protection goals, determination of the protection needs to identify assets with increased protection needs (so-called crown jewels);
  • All functional and technical structures down to CI level can be used for asset management through the link between EAM and CMDB.

Determination of the Protection Needs

With the determination of protection needs the sufficient and appropriate level of protection is identified for the business processes and related data, as well as for the supporting assets, such as applications or IT systems. Based on this, appropriate security measures can be selected. The determination of the protection requirements results must be documented and retained in a comprehensible manner.

We are happy to support you in

  • Creation of the required asset inventory, identification and documentation of critical assets, determination of asset owners
  • Definition of protection goals, determination of the protection needs to identify assets with increased protection needs (so-called crown jewels);
  • Step-by-step documentation and conclusions drawn from the results of the protection requirements determination incl. the impact of any loss or damage and possible security measures
  • Interviewing the responsible persons and experts to determine the protection needs, protection goals as well as impact of any loss or damage and possible security measures for assets with increased protection needs
    • Determination of the protection needs for business processes and related data -Inheritance of protection needs based on the maximum principle
    • Determination of the protection needs for applications and IT systems
    • Determination of the protection needs for buildings and rooms
    • Protection needs assessment for communication links
    • Derivation of the necessary security measures for assets with increased protection requirements

ISMS Requirements and Controls from relevant Standards & Catalogs

Laws and standards already specify many requirements and control objectives for information security (ISO/IEC 27001, BSI IT-Grundschutz, TISAX, etc.). These requirements must be understood and evaluated on a company-specific basis. An appropriate security architecture must be derived. These general and company-specific frameworks are used to build an effective toolkit.

We are happy to support you in

  • Definition of the scope, creation of “Statement of Applicability” (SoA)
  • Documentation of necessary regulatory content such as control objectives from relevant standards & catalogs (ISO2700x, BSI, etc.). We also offer a catalog service for ISO 2700x with integrated IT-Grundschutz for compliance with internal and external regulations or requirements and support during audits & certifications
  • Derivation of specific requirements based on regulations

ISMS Documentation

Detailed and complete documentation is mandatory for the introduction and sustainable implementation of the ISMS. This includes all documents that describe the information security policy, the scope of the ISMS (Statement of Applicability, SoA), guidelines and policies, specifications, rules and processes for planning, implementing, controlling and continuously optimizing information security.

We are happy to support you in

  • Development of necessary specifications, guidelines and policies as well as procedural & work instructions for different user groups: mandatory and recommended documents & evidence according to ISO/IEC 27001. For this purpose, we use a variety of best-practice ISMS document templates.
  • Development and documentation of the “ISMS Manual” with all required guidelines and policies according to ISO 27001, BSI and best practices Lean42.

ISMS Organization & Processes

For achieving the desired level of security, the organization is required to define the roles as well as the responsibilities regarding the setup, maintenance, and continuous improvement of the ISMS. The resources required for the process must be determined and made available.

We are happy to support you in

  • Development of the overarching organizational structure for ISMS
  • Documentation of the structural and operational organization for ISMS with roles and responsibilities, committee structure, communication & reporting channels, etc.
  • Development of process-related target architecture for ISMS incl. interfaces between all ISMS-internal and -external processes
  • Review of the required processes and procedures according to Annex A of ISO 27001 as well as other required regulations

Risk Management (Risk Identification, Analysis & Evaluation)

Risk management is a systematic process within the Information Security Management System for identifying, analyzing, evaluating, treating, monitoring and reviewing risks. Risk management in information security helps to achieve an acceptable level of security within the scope and to sustainably improve the existing level of security.

Wir unterstützen Sie gerne u.a. bei der

  • Creation/development of risk management methodology & approach for risk identification, analysis and evaluation
  • Risk identification and analysis, creation of risk register
    • Creation of an overview of the threats (elementary and additional threats)
    • Derivation of specific use cases or scenarios (threat scenarios) of the company
    • Analysis of dependencies and impacts (threat analysis, vulnerability analysis)
    • Identification of risks and affected assets as well as risk owners
  • Risk evaluation based on the identified, classified and evaluated assets
    • Definition of risk categories
    • Risk evaluation according to likelihood and impact
    • Creation of risk portfolio

Risk Treatment and Measures Management

As part of risk treatment, security measures must be identified to reduce or eliminate the risk.

We are happy to support you in

  • Definition of risk acceptance criteria, risk response strategies and selecting the most appropriate risk treatment
  • Documentation of existing implementation deficits for the business-critical risks, including an implementation plan for further reduction of the existing residual risks
  • Definition of control mechanisms for evaluating the implementation progress of the selected security measures. Definition of the intervention in case of deviations from the intended process or in case of necessary changes
  • Derivation and documentation of the relevant technical and organizational measures (TOMs) incl. tracking as well as integration of the identified security measures into the security concept
  • Documentation of management’s decision to accept, reject or transfer the risk and documentation of appropriate technical and organizational measures (TOMs)
  • Documentation of the risk treatment plan incl. necessary financial and resource requirements

ISMS Reporting

An important basis for the decisions to be taken is clearly and meaningfully prepared information on the conformity and effectiveness of the ISMS as well as on the current threat situation and the status of security measures. ISMS reporting includes both regular clear and concise management reports to support decision-making for managing and steering the information security process, as well as event-driven management reports in the event of security changes, problems or identified vulnerabilities.

We are happy to support you in

  • Implementation and operationalization of the ISMS dashboard to continuously measure the effectiveness and efficiency of the controls
  • Development of reporting / standard-compliant reporting (e.g. regular management reports, ad-hoc reports)
  • Determination and development of key performance indicators to enable the measuring of effectivity, efficiency and transparency of the ISMS processes and approach to their collection and reporting
  • Development of the ISMS dashboard, e.g. in Tableau, and integration into the existing ISMS tool.

ISMS Assessment

ISO 27001 requires comprehensible documentation as proof of a functioning management system and implementation of the defined security measures.

This includes amongst others:

  • Records of training, skills, experience and qualifications
  • Results of monitoring, measurement, analysis, and evaluation of the ISMS
  • Internal audit program and internal audit results
  • Results of management reviews
  • Results of corrective actions

We are happy to support you in

  • Conception and execution of ISMS trainings (general employee training and expert trainings)
  • Creation of ISMS dashboard and ISMS reporting to monitor, measure, analyze and evaluate the ISMS.
  • Preparation and/or execution of internal audits & security checks. Assessment of implementation and compliance with requirements/rules.
    • Definition of criteria, scope, frequency and methodology
    • Optimization / variation of audit program
    • Preparation of audit plan, audit checklist and audit protocol (Lean42 best practice templates)
    • Non-conformance report/ action log ISO 27001 for review and evaluation of defined corrective actions
    • Preparation of the audit report
  • Gap analysis incl. derivation of needs for action and definition of the recommendations for action
  • Logging, classification and analysis of the impact of non-conformances. Remediation of non-compliances, e.g. in the form of corrective actions
  • Documentation of gaps, non-conformances and resulting risks

ISMS Communication, Awareness, Training

ISMS awareness is the basis for providing an appropriate level of information security. Employees must be aware of their contribution to the effectiveness of the information security management system and the improvement of information security. This is primarily achieved through a corporate communication.

We are happy to support you in

  • Creation of training & awareness concept
  • Creation of training materials for different user groups
  • Implementation of ISMS training (general employee training and expert training)
  • Security awareness for top management
  • Definition and implementation of ISMS awareness and communication measures, e.g. ISMS intranet presence, ISMS dashboard, ISMS newsletter, poster campaigns, educational flyers, info slides, etc.