Information Security Consulting
Consulting focus areas
Information security becomes effective when it is treated as a management and control task: clarify objectives, assess risks, assign responsibilities, track actions and learn from feedback. A-R-C combines ISMS/GRC practice with strategic security governance.
01
ISMS / ISO 27001 / TISAX Readiness
Build and improve an ISMS that does not merely create documents, but makes decisions, evidence and actions manageable.
- Gap analyses and realistic roadmaps
- Policies, evidence and action plans
- Audit and assessment preparation
Outcome: an auditable system instead of a loose document collection.
02
BSI IT-Grundschutz & KRITIS/NIS2
Regulatory requirements are translated into an implementable governance model with clear roles, protection needs, reporting paths and evidence logic.
- Protection-needs and criticality logic
- Translate regulatory requirements
- Structure defensible implementation
Outcome: less ad-hoc activity, more reliable control.
03
IT Risk Management & Criticality
Risks must become explainable, prioritizable and decidable — not only as a spreadsheet, but as a basis for management decisions.
- Risk analyses and risk inventories
- Workshops with IT and business units
- Management recommendations and reporting
Outcome: risks, exceptions and actions are managed in a traceable way.
04
Security Governance / vCISO
Security governance connects strategy, implementation, management, IT, business units and audit.
- Roles, responsibilities and governance
- Interface between management, IT and audit
- Interim CISO / external CISO
Outcome: information security gets leadership, priorities and cadence.
05
Audit Readiness & Remediation
Audit readiness is not created in the final sprint. It comes from reliable evidence, clear ownership and continuous follow-up.
- Action plans after audits
- Build evidence capability
- Avoid paper compliance
Outcome: audits become more predictable and less dependent on individual heroics.
06
Incident & Crisis Governance
In critical situations, technology is not enough. Decision paths, communication, priorities and the return to stable governance matter.
- Create structure under pressure
- Decision and communication lines
- Recovery and lessons-learned transfer
Outcome: incidents lead to organizational learning, not only restoration.
07
Innovation & specialized AI solutions
Where standard tools are not sufficient, specialized AI solutions for security, compliance and audit processes can be designed and implemented.
- clarify requirements, boundaries and acceptance criteria
- embed AI use responsibly into processes
- consider confidentiality, traceability and governance
Outcome: innovation that does not stop at demos, but becomes usable under compliance conditions.
StrategyFrom action plan to control model
The starting point is not the next policy, but how risks, objectives, responsibilities and decisions are managed over time.
CyberneticsFeedback loops instead of one-off projects
Following systems thinking and effective management inspired by Malik: information security needs feedback, prioritization and adaptability — not only gap lists.
InnovationMaking AI usable responsibly
AI is relevant where it accelerates expert work. In regulated environments it must be bounded, explainable and embedded in clear accountability.