A-R-C Andreas Rühl Consulting

Pragmatic information security consulting. Compliant by outcome.

ISMS, ISO 27001, BSI IT-Grundschutz, KRITIS/NIS2, TISAX, IT risk management and security governance for organizations with security, compliance and audit requirements.
Remote on a B2B project basis – direct, as partner/subcontractor model, white-label support or extended workbench.

StandardsISO 27001 · BSI IT-Grundschutz · TISAX
RegulationKRITIS · NIS2 · BaFin/MaRisk
RolesInterim CISO · external CISO · Lead Consultant
ControlStrategy · Governance · Innovation · AI
Information Security Consulting

Consulting focus areas

Information security becomes effective when it is treated as a management and control task: clarify objectives, assess risks, assign responsibilities, track actions and learn from feedback. A-R-C combines ISMS/GRC practice with strategic security governance.

01

ISMS / ISO 27001 / TISAX Readiness

Build and improve an ISMS that does not merely create documents, but makes decisions, evidence and actions manageable.

  • Gap analyses and realistic roadmaps
  • Policies, evidence and action plans
  • Audit and assessment preparation

Outcome: an auditable system instead of a loose document collection.

02

BSI IT-Grundschutz & KRITIS/NIS2

Regulatory requirements are translated into an implementable governance model with clear roles, protection needs, reporting paths and evidence logic.

  • Protection-needs and criticality logic
  • Translate regulatory requirements
  • Structure defensible implementation

Outcome: less ad-hoc activity, more reliable control.

03

IT Risk Management & Criticality

Risks must become explainable, prioritizable and decidable — not only as a spreadsheet, but as a basis for management decisions.

  • Risk analyses and risk inventories
  • Workshops with IT and business units
  • Management recommendations and reporting

Outcome: risks, exceptions and actions are managed in a traceable way.

04

Security Governance / vCISO

Security governance connects strategy, implementation, management, IT, business units and audit.

  • Roles, responsibilities and governance
  • Interface between management, IT and audit
  • Interim CISO / external CISO

Outcome: information security gets leadership, priorities and cadence.

05

Audit Readiness & Remediation

Audit readiness is not created in the final sprint. It comes from reliable evidence, clear ownership and continuous follow-up.

  • Action plans after audits
  • Build evidence capability
  • Avoid paper compliance

Outcome: audits become more predictable and less dependent on individual heroics.

06

Incident & Crisis Governance

In critical situations, technology is not enough. Decision paths, communication, priorities and the return to stable governance matter.

  • Create structure under pressure
  • Decision and communication lines
  • Recovery and lessons-learned transfer

Outcome: incidents lead to organizational learning, not only restoration.

07

Innovation & specialized AI solutions

Where standard tools are not sufficient, specialized AI solutions for security, compliance and audit processes can be designed and implemented.

  • clarify requirements, boundaries and acceptance criteria
  • embed AI use responsibly into processes
  • consider confidentiality, traceability and governance

Outcome: innovation that does not stop at demos, but becomes usable under compliance conditions.

Strategy

From action plan to control model

The starting point is not the next policy, but how risks, objectives, responsibilities and decisions are managed over time.

Cybernetics

Feedback loops instead of one-off projects

Following systems thinking and effective management inspired by Malik: information security needs feedback, prioritization and adaptability — not only gap lists.

Innovation

Making AI usable responsibly

AI is relevant where it accelerates expert work. In regulated environments it must be bounded, explainable and embedded in clear accountability.

Core topics in detail

Find the right starting point quickly

The most important topics are prepared as dedicated pages so decision makers, partners and project teams can quickly see where A-R-C can help.

Short profile

What A-R-C stands for

A concise positioning summary for decision makers, partners and project teams.

  • A-R-C Andreas Rühl Consulting specializes in interim CISO work, ISMS/GRC, security governance and audit readiness.
  • Focus areas include ISO 27001, BSI IT-Grundschutz, KRITIS/NIS2, TISAX, IT risk management and evidence capability.
  • The approach is strategic, systemic and pragmatic: information security is treated as a controllable system of objectives, risks, decisions and feedback.
  • For innovation initiatives, specialized AI solutions for security, compliance and audit processes can be designed — with focus on confidentiality, traceability and governance.
  • Engagements can be delivered remotely on a B2B project basis — direct, partner, subcontractor, white-label or extended workbench.
Insights & Articles

Source-based analysis of security governance and regulation

The bilingual Insights hub provides practical analysis for executives, security leaders, software providers and partners. The articles distinguish statutory duties, standards, contracts and professional recommendations and cite the primary sources used.

01

ISO 27001 & CISO duties

When standards become binding through law or contract and which responsibilities remain with executive management.

Sources include the BSIG, NIS2, GDPR and German company law.

02

GoBD, source code & retention

What German fiscal and commercial rules actually require for program versions, documentation, source code and build tools.

The article tests common ten-year retention claims against primary sources.

03

DORA, providers & contracts

Financial-entity accountability, ICT third-party requirements and the distinction between defect remediation and a change request.

All five English articles and their German counterparts are available in the Insights hub.

ISMS Governance product family

Four editable DE/EN working packages and a free entry point

Move from scope through evidence and management decisions to an integrated 90-day working route. Every paid package is delivered through the secure B2B checkout.

ISMS Scope & Governance Starter Kit

Bring service, legal entity, scope, roles and governance decision into one controlled route.

EUR 199 · B2B

ISMS Governance Self-Assessment & Evidence Pack

64 questions, evidence, findings, requests and a 30/60/90 roadmap.

EUR 199 · B2B

ISMS Management Review & Decision Pack

Pre-read, decision cases, decisions, actions and follow-up.

EUR 249 · B2B

ISMS Governance Essentials Bundle

Starter, Self-Assessment and Management Pack in one connected working route.

EUR 549 · B2B

Fixed-price modules & PDF downloads

Defined information security consulting modules

For clearly scoped questions, A-R-C offers remotely deliverable consulting modules with defined scope, concrete outcome and fixed price after a short scope clarification. The onepagers are available as direct PDF downloads and can be forwarded internally.

IT Security / InfoSec Quick Check

A compact status overview of information security.

  • Current-state assessment, prioritization and next steps
  • clear view of maturity, gaps and action needs
  • suitable as a pragmatic entry point without pre-audit positioning

Outcome: Management-ready assessment with key gaps, quick wins, risks and prioritized next steps.

From EUR 4,900 net — final fixed price after scope clarification.

Audit Readiness Snapshot

An honest assessment before an audit, customer audit or internal review.

  • ISO 27001 audit, TISAX assessment or BSI-related review
  • customer audit or supplier requirement
  • audit readiness, evidence gaps and immediate actions

Outcome: Audit-readiness matrix, critical evidence gaps, traffic-light assessment and concrete immediate actions.

From EUR 4,900 net — final fixed price after scope clarification.

Protection Needs & Criticality Workshop

Reliable classification instead of gut feeling.

  • assess protection needs, criticality and dependencies
  • bring business units, IT and security onto one basis
  • connectable to risk analysis, ISMS work or action planning

Outcome: Protection-needs/criticality matrix, documented assumptions, open points and next steps.

From EUR 5,900 net — final fixed price after scope clarification.

BSI / ISO Document Review

Turn documents into clear action items.

  • expert review of existing ISMS/security documents
  • check consistency, traceability and audit readiness
  • gap list and prioritized action derivation

Outcome: Review report with gap list, prioritized improvement proposals and concrete action logic.

From EUR 3,900 net. Additional scope e.g. EUR 90–150 net per additional page.

Security Governance Management Briefing

Bring security to decision level.

  • prepare risks, options and next steps for management
  • orientation for management, IT leadership, CISO/ISB
  • translate audit, customer or regulatory pressure into decisions

Outcome: Management briefing deck, decision needs, prioritized next steps and optional 30/60/90-day roadmap.

From EUR 3,900 net — final fixed price after scope clarification.

Pricing logic: All modules are offered at a fixed price after clear scope clarification. The starting prices are for orientation; the final fixed price depends in particular on document volume, number and type of workshops, urgency, desired outcome format and required management preparation.

Note: The PDF onepagers are deliberately freely available. They are intended as concise decision and forwarding material for management, IT leadership, ISMS owners, partners and procurement.

Not sure which module fits?

In a short initial conversation we clarify scope, target picture and the most sensible starting point — without artificial funnel barriers.

Request initial call
B2B · Remote · Partner-ready

Engagement models

Not every initiative fits the same procurement model. A-R-C can be engaged directly, as a partner, or as a scalable delivery structure.

01

Direct mandate

External senior consulting for companies with specific ISMS, risk, governance or audit needs.

02

Partner model

Engagement through consultancies, system integrators, MSPs/MSSPs or framework-contract partners.

03

White-label / extended workbench

Senior capacity for ISMS, GRC, review, documentation and audit-readiness work packages.

04

Scalable delivery

For larger initiatives, additional specialist or technical delivery capacity can be integrated through partner structures.

Track Record

Experience that remains practical

Regulated and critical environments are a strong proof point – the approach is equally relevant for mid-sized companies, software firms, service providers and audit-driven organizations.

Since 1997IT and information security
1,400+ PDISO/BSI/ISMS/GRC contexts since 2018
KRITIS · Finance · Publicplus pharma, software, logistics, automotive and industry
Direct · Partner · White-labelFlexible B2B engagement models

KRITIS & Public Sector

Nuclear Energy (2018)

ISMS setup via BSI IT-Grundschutz

Supporting ISMS implementation in a high-security environment.

Public Utilities (2023)

Cyber Security Incident Response

Operational handling of a cyber attack, forensics and recovery.

Municipal Administration (2022)

Municipal ISMS & BSI Grundschutz

Implementation of a municipal ISMS and closing security gaps.

Finance & Insurance

Insurance (2020–2021)

Security Operations Center (SOC)

Consulting and project management for an internal SOC.

Insurance (2020)

BaFin requirements & cyber incident response

Incident management and alignment with security requirements.

Insurance (2023)

KRITIS & ISO 27001

Revision of internal policies in a critical-infrastructure context.

Industry & Technology

Software Development (2023–2025)

ISO 27001 & BSI strategy

Extensive consulting on integrating security standards.

Pharma (2018–2022)

ISMS according to ISO 27001

Long-term support in building and operating the ISMS.

Automotive (2018–2019)

TISAX consulting

Preparation for TISAX assessments and IT security optimization.

Strategic approach

Information security as an effective control system.

The approach combines pragmatic implementation with strategic leadership: clear objectives, reliable information, traceable decisions and regular feedback. This turns compliance from a paper exercise into a manageable system.

Pragmatic

Solutions must fit the organization, maturity and implementation reality – not only the standard.

Systemic

Drawing on Malik and cybernetic thinking, objectives, roles, indicators, feedback and decisions are treated as a connected management system.

Management-ready

Risks, actions, exceptions and priorities are structured so management and business units can act.

Innovation-ready

Specialized AI and automation solutions are used or developed where they accelerate expert work — without weakening accountability, confidentiality or auditability.

FAQ

Typical questions

What services does A-R-C provide?

A-R-C supports interim CISO mandates, ISMS/GRC consulting, ISO 27001, BSI IT-Grundschutz, NIS2/KRITIS, TISAX, IT risk management, security governance, audit readiness and selected AI/innovation initiatives.

Who is the consulting suitable for?

The consulting is aimed at organizations with security, compliance and audit requirements as well as consultancies, system integrators, MSPs/MSSPs and service providers that need senior ISMS/GRC capacity.

Do you only work in regulated environments?

No. Regulated and critical environments are an important proof point. The consulting is also suitable for mid-sized companies, software firms, service providers, system integrators and organizations facing audit, customer or compliance pressure.

Can engagements be delivered fully remotely?

Yes. Many consulting, workshop, review and governance work packages can be delivered fully remotely. What matters is a clear scope, suitable stakeholders and access to relevant information.

Do you work as a partner or subcontractor?

Yes. In addition to direct mandates, partner/subcontractor models, white-label support and extended-workbench setups are possible.

What makes the approach different from pure documentation?

The focus is on making information security manageable, auditable and fit for management decisions. Documents matter, but risks, responsibilities, evidence, actions and decisions are decisive.

Can larger work packages be handled?

Yes. For larger scopes, additional specialist or technical delivery capacity can be integrated through partner and subcontractor structures.

Does A-R-C support AI or innovation initiatives?

Yes. Where standard tools are not sufficient, specialized AI solutions for security, compliance and audit processes can be designed and implemented. What matters are clear boundaries, confidentiality, traceability and responsible use.

Contact

Discuss a project, partner request or expert assessment

If you need support with ISMS, ISO 27001, BSI IT-Grundschutz, KRITIS/NIS2, TISAX, IT risk management or security governance, we can clarify scope, constraints and suitable engagement models.

RemoteB2BDirect mandateWhite-label
A-R-C Andreas Rühl Consulting
Belziger Str. 69-71, 10823 Berlin
E-Mail: info@a-r-c.me
Mobile: +49 15679703280
LinkedIn Profile
Send request by e-mail