Governance, Risk & Compliance (GRC)

Networking, digitalisation and developments within society have rapidly and permanently changed the risk landscape of companies. IT dependency, but also regulatory requirements, have increased massively across all company sizes and industries. Controlware helps to overcome challenges in the context of information security strategy, business continuity, risk management and compliance requirements, thus creating the basis for secure, stable and efficient IT.

Pragmatic . Feasible . Effective

The triad of Governance, Risk & Compliance (GRC) refers to the regulatory framework of internal guidelines, risk-based actions and legal or industry-specific requirements to be complied with, within which modern companies operate. Investments in information security represent a risk-based investment. In order to be able to make this investment in a targeted manner, a company must first create the framework to be able to identify and manage risks in the first place. Information security is also becoming increasingly important in business relationships across all sectors: in order to minimise their own risks, business partners expect information security to be demonstrably taken seriously. Management systems for information security (e.g. according to ISO27001) or business continuity (according to BSI 200-4), as well as sector-specific labels such as TISAX, create the basis for this.

If a company can answer the following questions, it shows that it lives and develops information security sustainably and considers and weighs decisions holistically:

  • What is the information policy and does it take into account the context of the organisation and the interests and requirements of all relevant stakeholders?
  • What information security risks is the company exposed to, what measures have been taken against them and are they effective?
  • Which processes and resources are critical to the organisation and what measures have been taken to make them resilient? Is there a plan in place if an emergency does occur?

As an IT service provider and consulting company, Controlware provides customers with pragmatic and practical support for all GRC-related issues. Starting at the strategic level with addressing goals and requirements in the area of information security policy & strategy to the introduction of a management system for information security or business continuity. In addition, our consultants support you in operational issues such as auditing, risk management and any other aspect you may require.

The basis of the cooperation to ensure the success of a project and the satisfaction of both sides is personal contact, thorough analysis of the requirements and challenges, as well as custom-fit, practical and pragmatic process models that are geared to the needs and maturity level of our customers and create sustainable results.


We offer customised consulting services in the following areas:

Raising awareness of the importance of information security among key decision-makers

Networking and digitalisation have changed the risk landscape of companies more sustainably and faster than our human risk awareness has been able to adapt. As a result, companies spend a significant amount of time and effort to manage elementary and classic corporate risks for their business operations, while risks that threaten the very existence of some companies in the context of IT remain unrecognised, unassessed and untreated. Information security is undoubtedly a cost centre that consumes funds and resources to implement and maintain preventive and reactive measures "just in case". Often, awareness of the need to deal with information security in a structured manner only rises after devastating incidents.

The awareness seminar for management, IT managers, decision-makers and other stakeholders creates a basic understanding of information security, related goals and possible strategies. In addition, it shows the corporate significance (ROSI) and the benefits of a regulated approach to information security in the form of an information security management system.

Quick check and maturity analysis

With the help of a maturity analysis, we conduct a systematic review and assessment of your current situation with regard to either

  • defined information security goals
  • any standards (such as ISO27001, TISAX, BSI IT-Grundschutz, critical infrastructure regulation)
  • internal guidelines
  • or the effectiveness of measures taken by

This provides you with valuable and detailed insight into your company's information security, and gives you transparency about opportunities, potentials, risks, (implementation) gaps and blind spots. From these findings, action requirements and strands can be derived. Clients who have opted for a maturity analysis can better assess their - in each case individual - requirements for the information security of their organisation, rethink interrelationships and modes of action if necessary and take targeted steps that sustainably advance the information security level of the organisation and the degree of fulfilment of the requirements.

Business Continuity Management (BCM)

Companies are currently confronted with ever-increasing challenges to the performance of their business processes. Not only the constantly and massively growing dangers of cyber attacks on IT infrastructures, as well as losses due to theft, industrial espionage or sabotage, present companies with special tasks. Increasingly occurring threats such as pandemics, natural disasters and resulting bottlenecks in supply chains can also affect companies to such an extent that business operations cannot be maintained properly and company processes are impaired or even fail completely.

Already every fifth company was on the verge of insolvency after a cyber attack. Far too often, there is a lack of appropriate awareness, sensitisation and, as a result, the necessary preventive measures, especially with regard to organisational security.

Support is provided by an established business continuity management, with the help of which critical business processes are identified, and requirements for maintaining these business processes are set and implemented.

Through the formation of crisis teams, the creation of business continuity plans, contingency plans, emergency concepts and recovery plans, companies are put in a position to be prepared in the best possible way for critical events such as emergencies as well as disasters.

We are happy to support you in setting up a business continuity management system in accordance with ISO 22301 or BSI Standard 200-4.

Of course, we are also at your side if you need help setting up your BCM in the context of the scope of your ISMS according to ISO/IEC 27001.


Information Security Management - ISO/IEC 27001

Create transparency about your business and information security risks and show your customers and partners that you take information security seriously!

Information security management according to ISO/IEC 27001 offers a holistic, risk-oriented approach to protect sensitive information, minimise risks and take into account regulatory, legal and contractual requirements. You record your assets (including processes, services and IT infrastructure), identify threats and investigate possible vulnerabilities in your organisation and IT in order to derive possible risks for your company and IT. You take measures to mitigate business-critical risks and measure their effectiveness and efficiency. By continuously monitoring your environment, you derive new threats and potential risks and improve your information security through targeted measures. Furthermore, strengthen your reputation with a certification. Demonstrate your sensitivity for the topic to your partners and achieve further competitive advantages.

We advise you every step of the way: from the initial consultation on benefit, cost and effort transparency, through each individual step in the implementation, to a possible certification.

Does this sound exciting to you? Contact us!

Information security management - BSI IT-Grundschutz

Would you like to achieve a structured security level suitable for your institute or company and implement a proven ISMS for this purpose?

The IT-Grundschutz approach provides you with a recognized framework for identifying, assessing and securing your information. It offers a proven methodology, a wide range of assistance, and concrete recommendations for action. In addition, a staged procedure is available for the basic protection of your data ("basic protection") or for the rapid protection of your particularly sensitive information ("core protection").

Build trust with customers and business partners through ISO27001 certification based on IT-Grundschutz. Demonstrate a sustainable, sensitive and verifiable approach to information security to regulatory authorities.

We will be happy to advise you - contact us!


Gewinnen und erhalten Sie das Vertrauen Ihrer Kunden im Automotive-Umfeld mit einem TISAX-Label für Informationssicherheit!

Wir beraten und unterstützen Sie im TISAX Umfeld bei der Einhaltung der branchenspezifischen Informationssicherheitsanforderungen. Zum Schutz Ihrer sensiblen Informationen sowie dem Schutz sensibler Informationen (u.a. Prototypen und personenbezogenen Daten) schaffen wir gemeinsam mit Ihnen einen Wettbewerbsvorteil im Automotive-Umfeld.

Wir bestimmen mit einem Self Assessment (kurz AL1) den Umsetzungsgrad der gestellten TISAX-Anforderungen. Sie erhalten somit eine Aussage über Ihren aktuellen TISAX-Reifegrad bezogen auf ihr ISMS. Anschließend unterstützen wir Sie mit einer pragmatischen und nachhaltigen Umsetzung. Selbstverständlich coachen und begleiten wir Sie durch das Zertifizierungsaudit und schaffen so optimale Voraussetzungen für den Erhalt oder die Erneuerung des TISAX Labels.“

Stärken Sie Ihre Partnerschaften durch nachgewiesene Konformität, minimieren Sie Risiken und steigern Sie Ihre Wettbewerbsfähigkeit. Investieren Sie in TISAX, um Ihre Informationssicherheit zu optimieren und langfristiges Vertrauen in Ihrem Marktsegment aufzubauen. Kontaktieren Sie uns!


Do you have any questions? The Consulting Team is at your disposal.

E-Mail schreiben

Daniel Kammerbauer
Team Lead GRC

E-Mail schreiben