ISMS Consulting

An Information Security Management System (ISMS) is not a folder of policies that gets reviewed once a year. It is a living governance framework that answers a fundamental question: which information assets are critical to your organisation – and how do you protect them systematically, measurably, and sustainably? ISO/IEC 27001 defines the international standard for this and is recognised globally as the gold standard for information security management.

The underlying logic of the ISMS follows the Plan-Do-Check-Act cycle: risks are identified and assessed, controls are planned and implemented, their effectiveness is reviewed, and the system is continuously improved. This sounds straightforward in principle, but requires genuine engagement with business processes, dependencies, and vulnerabilities in practice.

ISMS consulting bridges the gap between the standard's requirements and your organisation's reality. An experienced ISMS consultant brings structured methodology, audit experience, and the ability to translate abstract requirements into concrete, operational measures – without over-engineering the documentation or losing sight of actual security outcomes.

Every ISMS engagement starts with an honest assessment. Our gap analysis maps the current state of your security controls against the requirements of ISO/IEC 27001:2022, identifies material gaps, and produces a prioritised implementation roadmap calibrated to your organisation's actual capacity and risk profile – not a generic checklist. This initial phase also determines the ISMS scope: which business units, locations, and processes should be included. Scope decisions have a major impact on project effort and on the eventual certification.

We then guide you through risk analysis and risk treatment: which threats are relevant for your specific environment, which controls address them economically and effectively, and how are residual risks documented and accepted by management. The Statement of Applicability (SoA) – which maps your control choices against all ISO 27001 Annex A controls – is a core deliverable of this phase and a document that auditors scrutinise closely.

Documentation – security policies, operational procedures, the SoA – is developed to be functional, not voluminous. Policies that no one reads do not protect organisations; they create liability. We prepare your team for the internal audit, provide dry-run walkthroughs of the certification audit process, and support you through the external audit itself. Our consultants have accompanied ISO 27001 certification audits with multiple accredited certification bodies and know exactly where auditors focus their attention.

ISO 27001 and the BSI IT-Grundschutz address the same objective – a functioning information security management system – but with different approaches. ISO 27001 is risk-based and flexible: it defines what an ISMS must achieve but leaves the specific controls open. BSI IT-Grundschutz provides a detailed catalogue of prescriptive security requirements for specific system types and processes – from Windows server hardening to physical security measures.

For German federal authorities and many critical infrastructure operators, BSI IT-Grundschutz is either mandated or the de facto standard. For internationally operating organisations, or those that need to demonstrate compliance to foreign clients and partners, ISO 27001 is the recognised choice. Many of our projects combine both frameworks: ISO 27001 provides the certification basis, while Grundschutz building blocks provide technical depth for specific system categories.

We help you make this decision on a sound basis – considering your industry, regulatory obligations, and strategic objectives. The right answer depends on what you need to demonstrate, to whom, and within what timeline. Organisations that already have a BSI Grundschutz implementation can typically leverage it for ISO 27001 certification with relatively modest additional effort.

ISO 27001 certification is increasingly intertwined with regulatory compliance obligations. The NIS2 Directive requires essential and important entities to implement risk-based technical and organisational security measures and to document them. An ISO 27001-aligned ISMS provides a structured framework for meeting these requirements and, crucially, for demonstrating compliance to the national supervisory authority (BSI in Germany). The overlap between ISO 27001 controls and NIS2 Article 21 requirements is substantial – organisations that pursue both simultaneously save significant effort.

DORA (Digital Operational Resilience Act) requires financial entities to establish a comprehensive ICT risk management framework with defined governance, incident response, and third-party risk management processes. ISO 27001 addresses all of these areas and is widely used by financial institutions as the structural backbone for DORA compliance. Our ISMS consulting integrates DORA-specific requirements into the ISMS design from the outset rather than treating them as a separate workstream.

For critical infrastructure operators (KRITIS) under the German BSIG, ISO 27001 certification is accepted as evidence of adequate security measures under the industry-specific security standards (B3S). Blackfort has specific experience in the energy, telecommunications, and financial sectors and understands the sector-specific requirements that must be reflected in the ISMS scope and control selection.