Your customers require ISO 27001. NIS-2 mandates risk management. Or do you want to build it systematically? In all three cases, the answer starts here.
isms. done. right.
Information security protects confidential data, ensures the availability of systems, and guarantees the integrity of information. It builds trust, reduces risks, and forms the foundation for stable, compliant operations in a digital world.
carmasec supports you in building an ISMS (Information Security Management System) that withstands threats and meets regulatory requirements.
A major customer requires ISO 27001 as a contractual prerequisite. NIS-2 demands documented risk management. DORA mandates information risk management for financial institutions. The timeline is set. You need a clearly defined scope, a Statement of Applicability that withstands an audit, and a project that does not tie up your team for months.
You are responsible for information security. You know that individual measures do not form a foundation. You want to systematically record assets, assess and treat risks according to ISO 27001, and establish a PDCA cycle that is actually implemented within the organization.
An ISMS does not need to be oversized or complex for your organization. In the initial meeting, we will clarify together what scope fits your organization and what is realistically achievable.
Schedule initial consultation
Before we build, we understand where you stand. We compare your current state with the requirements of ISO 27001, BSI IT-Grundschutz, NIS-2, DORA, CRA, and EU AI Act.
Risks cannot simply be checked off. We identify your assets requiring protection, assess threat scenarios, and derive controls from your actual risk profile.
Documentation that no one reads protects no one. We develop policies and procedures with your team for Incident Management, Change Management, and Access Management.
An ISMS that is never reviewed does not evolve. We plan and conduct internal audits, derive corrective actions, and prepare the management review.
Technical controls protect. People decide. We train your information security officers for independent ISMS operation and raise awareness in departments where risks arise in daily operations.
We prepare your ISMS for external audit—with internal pre-audits, document reviews, and support through certification.
We start with the assessment.
We build the system together with your team.
You operate the system independently.
How long does it take to build an ISMS?
A basic ISMS with a clearly defined scope is achievable in three to six months. With ISO 27001 certification, expect nine to twelve months. Company size alone is not the deciding factor. Clarity on scope, available internal resources, and management commitment are equally critical. We will clarify this specifically in the initial consultation.
What is the difference between ISMS and ISO 27001?
The ISMS is the management system: processes, responsibilities, risk assessment, controls. ISO 27001 is the international standard against which this system can be certified. An ISMS without certification is fully valid if no external proof is required. We always build to certification standards, even if certification is not planned.
ISO 27001 or BSI IT-Grundschutz?
ISO 27001 is risk-based and internationally recognized. BSI IT-Grundschutz is measure-based and particularly widespread in Germany among government agencies and KRITIS operators. Both frameworks can be combined: an ISMS based on IT-Grundschutz modules can simultaneously be ISO 27001 compliant. Which approach fits depends on industry, regulation, and internal context. We recommend based on analysis, not preference.
How much internal effort is required?
We handle the main workload. Plan for one to two days per week for the responsible person on your side. Additionally, there will be targeted workshops with departments. The clearer the internal decision-making processes, the faster we progress. An ISMS is a management system, not an IT project. It requires participation.
Richtlinien entfalten ihren Wert nicht auf dem Papier, sondern in gelebten Prozessen. Was mich antreibt: Kunden beauftragen Fachexpertise und brauchen häufig aber systemische Problemlösungen. Risikomanagement ist für mich kein Werkzeug, sondern eine Denkweise. Wer das verinnerlicht hat, baut kein ISMS für das Audit, sondern eins für die Organisation.
Till Bormann, Senior Security Consultant
Contact Expert
»Professionell, flexibel, nahbar und vor allem: erfolgreich. carmasec hat geliefert, was versprochen wurde.«
Bruker Optics
»Mit carmasec fanden wir einen vertrauenswürdigen Partner, der uns bei der Umsetzung unterstützte und einen umfangreichen Ergebnisbericht lieferte. Wir empfehlen carmasec uneingeschränkt weiter.«
ELIGO
»Mit Unterstützung von carmasec haben wir KPIs definiert und einen höheren Grad an Transparenz und Akzeptanz geschaffen.«
DKV Mobility Services
»carmasec leistete einen nennenswerten Beitrag zur Sicherheit unserer Dienste. Professionelle Beratung, saubere Durchführung. Für Infrastruktur-Pentests empfehlen wir carmasec uneingeschränkt.«
tyntec GmbH
Kontakt
In einem kostenlosen Beratungsgespräch erzählen wir dir gerne mehr. Einfach Formular ausfüllen und abschicken, dann melden wir uns.
Do you need help, or do you just want to talk about what’s on your mind regarding cybersecurity or ISMS? We take this seriously and will get back to you as soon as possible.
Not a customer yet?
You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information