IT GRC consulting

Consulting concerning the IT-related management of governance, risk and compliance management. In many cases, this specifically means that your company has to meet regulatory, legal or contractual requirements, so it needs management tools to demonstrably establish the right measures in the right place.

Do I need IT GRC management?

Probably. Unless money is irrelevant and you simply want to protect anything and everything everywhere (as compared to leaving things unprotected or somewhat protected). But if you want to be risk focused and decide how much security is needed and where, why you invest in one place and not in another and follow that up, then yes.

Every management team is basically generally obliged to manage risk (including managing IT risks) as personal liability, insurability in the event of damage and so on depends on it. Suppliers are held accountable by their clients; regulated companies are usually held accountable anyway.

IT GRC management is thus a competitive advantage and also helps you save money.



SITS Icon Security Operation Center Gruen RGB

Many years of experience

We’ve been offering advice on this topic for more than 20 years and have helped countless companies achieve certification or pass critical infrastructure audits as per Section 8a (1) of the German Act to Strengthen the Security of Federal Information Technology.

A high level of expertise

In addition to our long-standing experience with respect to regulations and frameworks, our vast wealth of know-how in the other specialist areas of data protection and security testing helps us address the really relevant issues for you. We know what the auditors want – and also what’s practically relevant!

Position of an external CISO/Security Representative

n most cases, companies with IT GRC management need an Information Security Officer or Chief Information Security Officer.
In SMEs, this is often not a full-time employee and the controlling tasks could be performed part-time. However, the range of topics is so extensive and the content so complex that this usually doesn’t scale up.
An external CISO/ISR is therefore a good choice. Comparable to a data protection officer, this party can provide all their expertise in a manageable mandate.

Send a request

Leave us your e-mail address and we will gladly get in contact with you

Are you interested in our solution?


Our approach

With regard to IT GRC management, we focus on information management tools and structures and on questions concerning the (potentially tool-supported) modelling of risk management and compliance requirements. We also concentrate on the targeted use of technical and organisational measures to precisely meet identified requirements.

To name but a few examples, our services in this respect include

  • Consulting on efficiently setting up a structured risk and compliance management system
  • Conducting risk analyses, preparing risk catalogues and mapping to ISO/IEC 2700x, COBIT or other checks
  • Establishing information security management systems, e.g. according to ISO/IEC 27001 (also based on the basic protection catalogues).
  • Offering guidance concerning certification or certification as an option
  • Establishing information security management systems for financial service organisations according to ISO/TR 13569:2005
  • Emergency preparedness/business continuity management (BCM) (BS 25999, BSI 100-4)
  • Assisting with meeting IT compliance requirements (e.g. with respect to requirements from PCI DSS, data protection, operational risk or other regulatory, statutory or internal requirements)
  • Preparing or reviewing ‘PPPs’ (policies, processes and procedures)
    Conducting gap analyses


*Mandatory field


Thank you for your interest!

You can download the product sheet by clicking the button below.


*Mandatory field


*Mandatory field