Blauer Hintergrund

Build an ISMS that convinces auditors and withstands daily operations

Your customers require ISO 27001. NIS-2 mandates risk management. Or do you want to build it systematically? In all three cases, the answer starts here.

 

Our Services Get a consultation now

isms. done. right.

Robust, efficient, and regulatory compliant

Information security protects confidential data, ensures the availability of systems, and guarantees the integrity of information. It builds trust, reduces risks, and forms the foundation for stable, compliant operations in a digital world.

carmasec supports you in building an ISMS (Information Security Management System) that withstands threats and meets regulatory requirements.

Two starting situations

External pressure?

A major customer requires ISO 27001 as a contractual prerequisite. NIS-2 demands documented risk management. DORA mandates information risk management for financial institutions. The timeline is set. You need a clearly defined scope, a Statement of Applicability that withstands an audit, and a project that does not tie up your team for months.

Internal motivation?

You are responsible for information security. You know that individual measures do not form a foundation. You want to systematically record assets, assess and treat risks according to ISO 27001, and establish a PDCA cycle that is actually implemented within the organization.

An ISMS does not need to be oversized or complex for your organization. In the initial meeting, we will clarify together what scope fits your organization and what is realistically achievable.

Schedule initial consultation

Our services at a glance

Balkendiagramm mit Wachstumskurve-Icon
Gap Analysis

Before we build, we understand where you stand. We compare your current state with the requirements of ISO 27001, BSI IT-Grundschutz, NIS-2, DORA, CRA, and EU AI Act.

Geöffnetes Schloss mit Warnzeichen-Icon
Risk Assessment & Risk Treatment

Risks cannot simply be checked off. We identify your assets requiring protection, assess threat scenarios, and derive controls from your actual risk profile.

Mehrere Dokumente mit Schutzschild-Icon
Policies, Guidelines & Processes

Documentation that no one reads protects no one. We develop policies and procedures with your team for Incident Management, Change Management, and Access Management.

Clipboard mit Checkliste und Zahnrad-Icon
Internal Audits & Maturity Assessment

An ISMS that is never reviewed does not evolve. We plan and conduct internal audits, derive corrective actions, and prepare the management review.

Dozent vor Tafel mit Teilnehmern-Icon
Awareness & Training

Technical controls protect. People decide. We train your information security officers for independent ISMS operation and raise awareness in departments where risks arise in daily operations.

Person mit Auszeichnungsmedaille-Icon
Certification Preparation

We prepare your ISMS for external audit—with internal pre-audits, document reviews, and support through certification.

PROCESS

Three steps to an operational ISMS

Grafik mit der Zahl 1 in Orange auf blauem Kreishintergrund

Analysis

We start with the assessment.

  • Kick-off with relevant stakeholders
  • Requirements analysis: ISO 27001, BSI, NIS-2, DORA, CRA, corporate requirements
  • Gap report with prioritized action plan
  • Asset inventory and risk assessment
Grafik mit der Zahl 2 in Orange auf blauem Kreishintergrund

Implementation

We build the system together with your team.

  • Information security policy and policy set
  • Procedures for Incident, Change, and Access Management
  • Roles and responsibilities clearly assigned
  • Statement of Applicability and risk treatment plan
  • Technical and organizational controls implemented
  • First internal audit as trial run
Grafik mit der Zahl 3 in Orange auf blauem Kreishintergrund

Handover

You operate the system independently.

  • Handover workshop with complete knowledge transfer
  • Operations manual for ongoing ISMS operation
  • Optional: Certification support
  • Training of information security officers for independent operation

FAQ

Common questions? We have the answers

How long does it take to build an ISMS?

A basic ISMS with a clearly defined scope is achievable in three to six months. With ISO 27001 certification, expect nine to twelve months. Company size alone is not the deciding factor. Clarity on scope, available internal resources, and management commitment are equally critical. We will clarify this specifically in the initial consultation.

What is the difference between ISMS and ISO 27001?

The ISMS is the management system: processes, responsibilities, risk assessment, controls. ISO 27001 is the international standard against which this system can be certified. An ISMS without certification is fully valid if no external proof is required. We always build to certification standards, even if certification is not planned.

ISO 27001 or BSI IT-Grundschutz?

ISO 27001 is risk-based and internationally recognized. BSI IT-Grundschutz is measure-based and particularly widespread in Germany among government agencies and KRITIS operators. Both frameworks can be combined: an ISMS based on IT-Grundschutz modules can simultaneously be ISO 27001 compliant. Which approach fits depends on industry, regulation, and internal context. We recommend based on analysis, not preference.

How much internal effort is required?

We handle the main workload. Plan for one to two days per week for the responsible person on your side. Additionally, there will be targeted workshops with departments. The clearer the internal decision-making processes, the faster we progress. An ISMS is a management system, not an IT project. It requires participation.

Porträtfoto von Till Bormann, Senior Security Consultant bei der carmasec.
Guidelines do not realise their full potential on paper, but through practical application. What drives me is this: clients commission specialist expertise, yet often require systemic solutions to their problems. For me, risk management is not a tool, but a mindset. Those who have truly internalised this do not build an ISMS for the sake of the audit, but one that serves the organisation.

Till Bormann, Management Consultant

Contact Expert

Whether start-up, mid-sized company, or corporation: We find the right solution

Trust is built through results

Logo von Bruker
“Professional, flexible, approachable and, above all, successful. carmasec has delivered on its promises.”

Bruker Optics

Logo von eligo
“In carmasec, we found a trustworthy partner who supported us throughout the implementation process and provided a comprehensive report on the results. We have no hesitation in recommending carmasec.”

ELIGO

Logo von DKV
“With carmasec’s support, we have defined KPIs and achieved a higher level of transparency and acceptance.”

DKV Mobility Services

Logo von Tyntec
“carmasec has made a significant contribution to the security of our services. Professional advice, flawless execution. We wholeheartedly recommend carmasec for infrastructure penetration testing.”

tyntec GmbH

Also of interest

Information Security & Compliance|16.02.2026

Case Study: Product Security and Cyber Resilience Act

More information

Contact

Let’s spend 45 minutes finding out if and how we can help.

We’d be happy to tell you more during a free consultation. Simply fill in the form and send it off, and we’ll get in touch.

Porträtfoto von Jan Sudmeyer, Geschäftsführer bei der carmasec.
Jan Sudmeyer
Managing Partner
+49 (0)201 426 385 905
vertrieb@carmasec.com