Approach
Risk-based, integrated, decision-oriented
Our approach follows a clear four-step model: Understand, Assess, Protect, Sustain. Each phase builds on the previous one and produces concrete, actionable results – not consultant prose, but decision-making foundations.
Understand
Context, Protection Goals & Scope
Before we assess, we understand. Every organization is different – different assets, different threat landscape, different regulatory requirements. In this phase, we lay the foundation for everything that follows.
What we do
- Stakeholder interviews with management, IT, facility, HR
- Scope definition: Which sites, systems, processes?
- Regulatory mapping: NIS2, ISO 27001, KRITIS, BSI, VdS
- Asset identification and protection needs assessment
- Existing security measures inventory (as-is)
Your deliverables
- Protection needs assessment
- Scope document
- Asset register
- Regulatory requirements matrix
Methods & Standards
Typical timeframe
1–2 weeks
Assess
Risk, Threat & Vulnerability Analysis
The analytical core phase: We identify threats, uncover vulnerabilities and assess risks systematically. Not based on gut feeling, but methodologically sound and traceable.
What we do
- Threat analysis: 60+ elementary threats (BSI + proprietary)
- Vulnerability analysis: physical, technical, organizational
- Risk assessment: Probability × Impact (5×5 matrix)
- Gap analysis against target standards (ISO 27001, BSI, NIS2)
- On-site inspection with photo documentation and findings protocol
Your deliverables
- Risk report with risk matrix
- Vulnerability catalog with prioritization
- Gap analysis report
- Photo documentation with findings
Methods & Standards
Typical timeframe
2–4 weeks
Protect
Treatment Planning & Implementation Support
Findings become measures. Every recommendation is prioritized, budgeted and assigned to a responsible party. We don't deliver 200-page reports that end up in drawers – but roadmaps that get implemented.
What we do
- Treatment catalog with risk treatment options (Avoid, Reduce, Transfer, Accept)
- Prioritization by risk reduction, cost and feasibility
- Budget and timeline planning per measure
- Standards mapping: Which measure fulfills which requirement?
- Implementation support as needed (RFP, acceptance, configuration)
Your deliverables
- Prioritized treatment plan
- Protection concept / Site Security Plan
- Budget roadmap
- Statement of Applicability (SoA)
Methods & Standards
Typical timeframe
2–4 weeks (planning), ongoing (support)
Sustain
Governance, Monitoring & Continuous Improvement
Security is not a project, but a process. In this phase, we establish the structures that ensure measures remain effective, risks are tracked and the organization learns from incidents.
What we do
- KPI definition: Measurable security metrics
- Review cycle: Management reviews, internal audits
- Training and awareness program
- Incident response process and lessons learned
- Regular risk re-assessments and adaptation
Your deliverables
- Governance framework
- KPI dashboard
- Audit and review plan
- Training concept
Methods & Standards
Typical timeframe
Ongoing, quarterly reviews
Methodological Principles
Risk-based
Don't protect everything equally – invest where the risk is highest. Protection measures follow the risk analysis, not the checklist.
Integrated
Physical, technical and organizational security as one system. An access control system without a visitor policy is worthless – and vice versa.
Decision-oriented
Every deliverable is a decision basis: What to do, what does it cost, what happens if not? No academic treatises.
Iterative
Security improves through cycles: Assess → Implement → Measure → Adapt. Not through one-off projects.
Start a project?
Let's discuss your context – we'll define the right scope together.
Schedule initial consultation