Before you book maybe read this first
Two short introductions to NIS2 and ISO27001, plus seven answers to the questions we get asked again and again.
What is NIS2
and does it affect you
NIS2 is an EU directive that sets clear IT-security requirements for specific sectors.
At its core, it distinguishes between essential and important entities. Both groups have to put technical and organisational measures in place, report incidents and prove in everyday operations that those measures actually work. In practice that means solid risk management, clear access rights, dependable logs, tested backups and a working plan for security incidents.
For most companies it comes down to capturing the measures you already have, documenting them properly and applying them consistently day to day — the real work is bringing order to processes that have grown over the years and makes them binding.
Smaller teams can meet the requirements too, pragmatically and one step at a time.
What is ISO27001
and do you need it
ISO27001 is the international standard for information security management systems (ISMS). Unlike NIS2 it is voluntary — you take it on because you want to, or because a customer, an insurer or an authority asks for it. Companies certified to ISO27001 go through external audits every year.
In practice that means:
- you define a scope
- assess your risks
- set controls in line with Annex A of the standard
- document all of it
- and live by it
ISO27001 can be tailored to your size — a 30-person company doesn't need the same machinery as a large corporation. If you face formal requirements for documentation and processes, building it out usually makes sense.
If not, we'll tell you that too.
Seven questions we hear often
These come up again and again. Here are the honest answers.
1. What do you mean by a "stack"?
By "stack" we mean every tool your information security management system (ISMS) actually runs on — from documentation through asset and risk management, policies and access control to logging, monitoring and audit-proof record-keeping. Ours is open source through and through: no licence fees, no vendor lock-in, full transparency. You can see what is running in your environment at any time and decide for yourself who operates it. That keeps you flexible, audit-ready and independent in your security strategy for the long run.
2. Isn't open source risky? Who actually runs it?
More than anything, open source buys you independence and long-term investment security. What many people underestimate: with modern AI, even smaller teams can now run these systems reliably. Operation sits with your team or with us — whichever you prefer. You get costs you can budget for, with no licence fees, and you avoid depending on a single vendor.
That's how you bring risk down for good.
3. We already have an IT partner
That works well — we don't set out to replace anyone, we add to what you have. Plenty of customers keep their existing partner for day-to-day operations and bring us in for structure, compliance and security. We put clear security structures in place and make your existing setup audit-ready. You gain security without adding complexity.
4. We're too small for ISO27001
You are not too small. ISO27001 is tailored to your size — it flexes to fit your company. What changes: clearer controls, a leaner process, focused measures and more predictability. If a stakeholder asks for the certificate, building it out pays off. If not, we'll tell you that too.
5. Will the integration disrupt production?
Yes, some disruption is possible. Your departments will take on some work too, for example classifying systems or running tests. We work carefully and responsibly to keep that disruption to a minimum.
6. Why isn't the price on the website?
To gauge the effort realistically, we need a look at your IT landscape — your systems, software and configurations, for example. We only discuss that sort of detail under an NDA, exactly as your own security policies require anyway. :)
We work from a checklist that we go through together in conversation.
The result is a fixed price that keeps its promise.
7. What if we want to leave you later on?
Then we help you do it — free of charge. That is our exit guarantee. You get complete documentation, an orderly handover to the next provider and no transition fee. We build the stack so it keeps running without us — and that is exactly why our customers stay with us for years.