GRANT THORNTON – THE HIGHEST STANDARD FOR YOUR RESILIENCE

In a time of multiple crises and ever more complex legal requirements, we are a reliable partner to public institutions and enterprises, providing all-round security consulting. With our many years of experience with public authorities and the regulated economy, we develop individual solutions that are tailor-made to match the challenges you face.

In a regulatory environment of complex security requirements, we create clarity – from strategic planning to operational execution.  In doing so, our focus is on strengthening the resilience of your organisation and supporting you with protecting sensitive data and information.

MANAGING RISKS, REDUCING COMPLEXITY

The greatest challenges in security consulting

Organisations face particular challenges that we can solve together day by day – from complex regulations all the way to crisis management.

Our tailor-made approach will help you to successfully master these challenges.

A summary of our security consulting services 

We will give you all-round support with information security – in compliance with national BSI standards and the international ISO 27000 series. 

Our experienced team will be at your side for all your issues with personal and material protection of classified information, including consulting on IT for classified information under the Classified Information Guidelines (VSA), Classified Information Handbook (GHB) and Federal Office for Information Security (BSI) guidelines.

Furthermore, we’ll give you support with preventive and reactive contingency and crisis management. Our portfolio also includes forensic investigations to resolve security incidents.

Every organisation has its own specific requirements on its security measures. Our experienced experts develop tailor-made security strategies that are aligned with both national and international standards.

We will analyse your existing processes, identify vulnerabilities and create robust strategies to safeguard your organisation against current and future risks. 

Complying with regulatory requirements in the field of information security, such as ISO 27001, BSI Grundschutz (baseline protection), DORA, CRA, NIS-2 or in protecting classified information such as that required by the Classified Information Guidelines (VSA), Classified Information Handbook (GHB), places particular challenges on many organisations, especially when different requirements that are in competition with each other have to be implemented.

We’ll make sure your security measures fulfil all the statutory and sector-specific requirements. We will accompany you all the way from determining protection requirements to planning to successful execution at your company or institution.

Our experts will support you in defining and implementing measures for personal and material protection of classified information. We will ensure that your organisation is able to comply with the regulations of the Classified Information Guidelines (VSA), Classified Information Handbook (GHB) and the Federal Office for Information Security (BSI) guidelines. We will support you all the way from planning the strategy to optimising processes to technically implementing the requirements.

Whether it’s ISO 27001 based on IT-Grundschutz, approval of systems for IT for classified information under Section 50 of the Classified Information Guidelines (VSA), self-accreditation under Appendix 4 of the Classified Information Handbook (GHB) brochure “VS-NfD Merkblatt” (in German) or other sector-specific approval, certification and accreditation projects – we will support you through the process and be at your side as your competent partner. Our team will help you plan and implementing the necessary security measures efficiently. Our expertise and experience will prepare your organisation optimally for audits and reviews.

A risk-based and efficient information security management system (ISMS) protects your information and creates confidence among your business partners and customers. Together, we’ll develop the right solution under national or international standards such as the ISO 27000 series or BSI IT-Grundschutz. Our focus is optimising your processes while at the same time minimising risk.

An incident can quickly turn into an emergency that develops into a crisis. Together, we will work out the right strategy to strengthen your resilience with customised contingency and crisis management, including pursuant to economic protection or international standards. An integral component of this is the organisation’s ability to maintain critical business processes during and after an incident and rapidly recover them. To do this, we use established business continuity management (BCM) procedures.

By using new technologies, we are able to protect infrastructure and assets very efficiently. We will support you with the right strategy, selection and implementation. Our expertise extends from using known tools from video and access technology all the way to using sensors and AI. Our support is always risk-based and optimised for costs.

In the event of security incidents or fraud, we’ll carry out forensic investigations to identify the causes and those responsible. With the most modern technology and in-depth expertise, we analyse incidents, secure evidence and deliver comprehensive results that help you close the gaps in your security. Additionally, we will support you with preventing security incidents.

Our security advisors for you

Steffen Kunaht
Steffen Kunaht
Partner
Berlin
View full profile
Fabian Fischbach
Fabian Fischbach
Senior Manager
Duesseldorf
View full profile
    OUR SUCCESS FACTORS – WHY GRANT THORNTON?

    With Grant Thornton you profit from:

    All-round security competence Experience in the public sector Tailor-made solutions Practical implementation Holistic support
    Expert knowledge on security consulting, protection of classified information and information security – for secure and compliant solutions
    Many years of experience in dealing with the authorities and public institution ensures advice is in-depth and practical.
    Individual strategies, designed to perfectly fit your organisation and goals.
    We develop plans that not only work on paper but also in practice.
    From analysis to execution: we’ll support you in every phase of your security strategy.

    Frequently asked questions on security consulting

    The requirements on information security are based on the confidentiality, integrity and availability of information (the CIA triad). Organisations must:

    • draft and implement security guidelines
    • implement technical measures like firewalls, encryption and access controls
    • establish organisational processes, e.g. staff training and contingency plans
    • analyse risks and take appropriate protective measures
    • comply with national and international standards such as BSI IT-Grundschutz or ISO 27001. 
    • Protection of sensitive information: confidentiality, integrity and availability are ensured
    • Compliance: statutory and regulatory requirements (e.g. ISO 27001, BSI IT-Grundschutz) are fulfilled
    • Risk minimisation: security risks are identified and reduced
    • Trust: a high security standard is demonstrated to customers and partners
    • Increasing efficiency: structured processes ensure responsibilities are clear and security measures optimised. 
    • Current status analysis: evaluate the assets to be protected and existing security measures and identify vulnerabilities.
    • Definition of scope: define which areas or processes are covered by ISMS.
    • Risk management: conduct a risk analysis and define measures to manage risks
    • Documentation: draft guidelines, processes and work instructions
    • Implementation: introduce and implement the defined measures within the organisation
    • Awareness and training: train staff and make them aware
    • Internal audits: review the effectiveness of the ISMS regularly
    • Continual improvement: constantly improve using the Plan-Do-Check-Act (PDCA) cycle
    • Certification: preparation and performance of an audit by an accredited certification body.

    BSI IT-Grundschutz consists of:

    • IT-Grundschutz Compendium: catalogues of recommended measures for various security requirements
    • Multitier structure: protection measures based on determination of protection requirements
    • BSI Standards: guidelines for implementing an information security management system (ISMS)
    • Overview of threats: identifying and assessing security risks
    • Risk analysis: the risk assessment and treatment process
    • Certification methods: evidence of compliance from audits

    BSI IT-Grundschutz is obligatory for:

    • Federal government bodies and public administration organisations that use IT systems to process classified information and sensitive data.
    • Critical infrastructure (KRITIS) is organisations and facilities of major importance for society whose failure or impairment would cause a sustained shortage of supplies, significant disruptions to public order, safety and security or other dramatic consequences. IT-Grundschutz is also recommended to other organisations, however, that intend to implement IT security in a holistic and standardised way.
    • Personal protection of classified information: refers to the review (security vetting) and security clearance of persons with access to classified information.
    • The goal is to ensure that only reliable persons have access to classified information.
    • Material protection of classified information: includes the physical, IT and organisational measures taken to protect classified information such as IT for classified information, security zones, safes or destruction.
       
    • Secure access: access is only granted to persons with the corresponding security clearance
    • Physical security: use of safes, security rooms and controlled access
    • IT security: setting up secure IT systems (IT for classified information) under the Classified Information Guidelines [VSA] and Federal Office for Information Security (BSI) guidelines.
    • Processes: regular training courses and clear policies for dealing with classified information.
    Our awards
    We’re proud of the awards we’ve won. And we’re just as happy that our clients give us top ratings! We’re working hard to keep it that way. And that’s a promise!