ISO 27001 without Excel hell and 50,000-euro consultancy fees

Maintain all information risks structured with damage amount, probability of occurrence and risk score. Rating matrix configurable per tenant, e.g. three by three or five by five, qualitative or quantitative in euro amounts with expected damage per year. Risks are assigned to assets, processes or persons, links are visible and traceable e.g. when an asset failure hits multiple processes and cascades. Treatment plan per risk with measures, owner and due date, notifications on overrun escalate automatically. Residual risk calculation automatically after measure implementation, acceptance workflow by management documented with electronic signature under eIDAS. Heatmap in the dashboard, drill-down from risk category to single entry, filter by asset type, process, owner or residual risk category. Trends over time for management reviews with quarterly comparison and benchmarking against industry. Four-eyes principle on risk acceptance optionally activatable, mandatory for risks above certain damage thresholds.

All 93 controls from ISO 27001 Annex A 2022 are prepared, you mark per control 'applicable' or 'not applicable' with reasoning and reference to risk inventory. Implementation status (planned, in progress, implemented, in review, documented), owner and reference to measures are maintained centrally with linking to evidence. At the press of a button you generate the SOA document for your ISO auditor, audit-ready without Excel export or manual consolidation. Changes are versioned, you see the history per control including reasoning and approver with time stamp. Comparison with ISO 27002 implementation guide directly linked, you see the recommended implementation next to your own. At the annual SOA review, outdated reasoning is marked, you only need to maintain changes, not the whole list, that saves several person-days per review cycle. Mapping to BSI IT-Grundschutz, NIST CSF and CIS Controls automatically available, dual maintenance is gone. Export as Word, PDF or structured XML for GRC tools with electronic signature under eIDAS.

Technical and organisational measures are documented structured by confidentiality, integrity, availability and resilience, supplemented by recoverability and regular review. Encryption, pseudonymisation, access control, backup concept and recovery procedures are maintained with reference to the respective process and linked with evidence. At the press of a button you export the TOM document for your clients, e.g. as an attachment to the data processing agreement with or without contract reference, multilingualism per recipient configurable. Also works for your own DPAs with sub-processors, multilingualism German and English automatically synchronised. Mapping to ISO 27001 Annex A controls automatic, dual maintenance is completely gone. Record of processing activities under Article 30 GDPR in the same module, unified data basis, no Excel dual maintenance and no inconsistencies between TOM and record. Data protection impact assessments (DPIA) under Article 35 GDPR are created in the same workflow, with templates per DSK standard and consultation-obligation trigger above critical risk thresholds.

Every change to risks, controls, measures, incidents or documents is stored unchangeable with time stamp, user and diff. The audit report is available at the press of a button, filtered by period, actor, object type or module. ISO 27001 auditors and ISMS auditors get complete traceability without log file digging or database dumps. Storage period configurable, default ten years, longer retention for regulated industries possible, e.g. 30 years for insurers or energy suppliers. Cryptographic hash chaining secures against subsequent manipulation, the hash chain is verifiable by the auditor with standard tools. Export as PDF with electronic signature (eIDAS-compliant) or as CSV for DATEV-style audit tools. Audit trail is immutable even for admins, no insider risk through privilege escalation.

Capture security incidents with category, severity and affected parties, escalation paths are triggered automatically depending on severity and type of the incident. Level three triggers notification to CISO, level four to management, NIS2 reporting trigger for critical incidents with deadline tracker for 24-hour early warning report, 72-hour update and 30-day final report. Measures are maintained in the incident ticket, recovery times are measured, lessons learned structured supplemented with linking to risk inventory for future prevention. For NIS2-reportable incidents the early warning report with mandatory fields is automatically pre-filled, you only add details. The AI helper suggests immediate measures based on incident category and suggests links to comparable incidents. Crisis communication templates for customers, authorities and press pre-installed, customisable per tenant.

The ten mandatory measures from NIS2 Article 21 are tracked structurally with maturity rating per area on a five-stage scale. You see immediately where gaps are and which measures have priority, roadmap to NIS2 compliance derivable with effort estimate in person-days. Management liability under Article 20 documented, board training audit-proof stored, quarterly reviews automatically scheduled with reminders. If you qualify as an important or essential entity, the tracker automatically adjusts to the respective requirements, e.g. stricter reporting obligations or extended audit duty. Supply chain risk management under Article 21 paragraph 2d integrated, sub-processors are maintained in the DPA module, risk rating per supplier with escalation for critical findings. Applicability check at onboarding of a new client, indirect applicability via supplier status recognised.