ISMS, BCMS & Incident Readiness

When it counts, what matters is operationally resilient structures, not just audit preparation. ENISA names business continuity, patching and testing as central implementation problems; ISO 22301 and DORA require resilient, tested continuity structures. We build management systems that hold when it counts - and produce the evidence along the way.

The framework is an ISMS aligned with ISO/IEC 27001: risk-based, with a clear Statement of Applicability, lived policies and an internal audit and improvement cycle. We set it up to serve as a shared basis for further duties - from NIS2 to DORA - rather than as an isolated certificate.

For continuity we add a BCMS per ISO 22301: based on a business impact analysis we determine critical processes, recovery objectives (RTO/RPO) and continuity strategies. This is complemented by emergency and crisis plans with clear roles, escalation and communication paths.

Incident readiness means being prepared before something happens. We design and support exercises - from tabletop to simulation - ensure audit-ready evidence management and feed lessons from real incidents back into the plans. This turns a management system into lived resilience.

We deliver each of these services in three stages: as an assessment (baseline and gap analysis), as program build and implementation (structures, measures, evidence) and as ongoing steering - optionally as an interim mandate, fractional lead, evidence office or exercise and audit office. You decide how much responsibility to outsource and where to build your own capacity.