“ISO 27001? It’s just an expensive piece of paper.”
I hear this phrase more often than I’d like during initial consultations. And it highlights the exact problem: Most CEOs are familiar with ISO 27001—but don’t understand what it could really mean for their company. Five myths I hear time and again:First: “That’s an IT project.” No. ISO 27001 is a management system. It starts […]
No commitment, no ISO 27001 certification. It’s that simple.
Not the budget. Not the tools. But leadership.Two companies, similar in size, with the same goal: to implement ISO 27001and get certified. Company 1️⃣Goal: “Get certified in 5 months!”Tone: “We just have to do it.”Typical phrases:→ “ISO requires it!”→ “It has to be this way—because of ISO!”No real management commitment. Constantly shifting priorities. Operational chaos […]
Most CEOs delegate information security. And that is exactly the problem.
In many companies, information security is still treated as an IT issue. As a result, it gets delegated. → To the IT department.→ To external service providers.→ To “someone who takes care of it.” What gets overlooked in the process:Security is not a technical issue.Security is a business decision. The good news:The independent repair shop […]
Process completed. Problem unresolved.
The wiper blades on my leased vehicle were worn out.The car had been sitting for six months before I took delivery—low mileage,visibility is now limited. Lease includes maintenance & wear and tear; wiper blades are explicitly covered. So I submitted a request to the authorized service center.Response: Cost coverage denied. Reason: First registration was only […]
Flying blind rarely feels good
A few weeks ago, I attended a blind dinner.A full menu – served in complete darkness. Everything was there: food, drinks, cutlery, service.Just not visible. Suddenly, completely new questions arose:How do I drink without knocking the glass over?How do I eat without spilling dinner on my shirt? It was an exciting experience and a very […]
Why information security is not an IT project
“IT takes care of security.”One of the most common and dangerous misconceptions in companies. Information security is not an isolated IT project.It is a company-wide management issue. So who is actually responsible?Information security protects the confidentiality, integrity, and availability of information throughout the business, not just in IT. While IT orchestrates data processing, the responsibility […]
NIS-2 meets GDPR: Is one notification sufficient, or is the next liability trap looming?
Recently at an NIS 2 workshop with a client’s management team.Topic: Reporting requirements for IT security incidents. The central BSI portal for reporting security incidents has recently been launched – which is good and right. But then came the crucial question from C-level: What happens if an IT security incident also affects personal data? Is […]
The wheat and the chaff: The two types of InfoSec advertising promises
In recent weeks, I have heard the same thing repeatedly in conversations with customers: The industry surrounding NIS-2 and ISO 27001 is currently a gold mine, and many are acting accordingly. The general sentiment can be summarized in two extremes: Extreme 1: The certificate pushers“ISO 27001 and NIS-2 in 3 weeks, free of charge. Everything […]
“I’ll do the rest with ChatGPT.” Why an ISMS is not a copy-paste project
About a year ago, a prospective customer said to me:“You know, Mr. Neeff, everything we need for our ISO 27001 ISMS documentation is now available for free on the internet. And I’ll do the rest with ChatGPT.” I love statements like that because I know exactly how much substance there is behind them. Namely, NONE. […]
Information security does not begin with ISO 27001, but with honesty.
Many believe that the core of effective information security lies in a particularly “good” or “beautiful” implementation of ISO 27001 or NIS-2. But the real success factor is something else: an honest assessment of the current situation. What does this mean in concrete terms? This is precisely where the wheat is separated from the chaff.True […]