Consulting & Risk Management | ITanic

Strategy & Implementation

A security strategy that doesn't end up gathering dust in a drawer.

No one-size-fits-all checklist. We analyze your specific risk profile, prioritize measures based on their impact and effort required, and guide you through the implementation process.

Schedule an initial consultation

Risk Analysis · Muster, Inc. IN PROGRESS

Risk Assessment by Area

Endpoint security

CRITICAL

Access Management

HIGH

Backup & Recovery

HIGH

Network segmentation

MEDIUM

Patch Management

LOW

Prioritized actions

P1 Roll out EDR on all endpoints

P1 Enable MFA for all admin accounts

P2 Implement a backup strategy based on the 3-2-1 rule

Services Process Why ITanic FAQ

The problem

Safety advice that merely offers recommendations does not protect anyone.

Many companies have thick reports gathering dust on their shelves. These reports outline what needs to be done. However, little has been implemented because no one oversaw the process, the measures weren’t prioritized, or the internal team simply didn’t have the capacity.

What’s more, one-size-fits-all solutions don’t work. Anyone who gives everyone the same advice hasn’t understood the risk situation.

67%

Less than half of companies implement the security recommendations

43%

Most small and medium-sized businesses do not have a documented emergency plan for a cyberattack

Reports with no effect

A risk audit produces a report. Without support during implementation, it remains just a document. The gaps remain unaddressed.

No prioritization based on reality

If everything is considered critical, then nothing is critical. Effective consulting identifies the three measures that make the biggest difference, not the 30 that would theoretically make sense.

No plan in an emergency

A ransomware attack strikes. What happens next? Which systems are isolated? Who makes the decisions? Where do the backups come from? Anyone who hasn’t defined these procedures in advance will have to improvise under pressure.

01 Services

From risk analysis to a tested emergency plan.

We support companies from the initial assessment all the way through to demonstrable improvements in their security posture. We don’t offer one-off projects, but rather structured, ongoing development.

Risk Analysis

Gap Analysis · Threat Model · Prioritization

ISMS Implementation

ISO 27001 · Guidelines · Documentation

Emergency planning

Ransomware Plan · IR Playbook · Backup Strategy

Implementation support

Roadmap · Project Support · Progress Tracking

Analysis

Assessment of the existing infrastructure

Gap analysis against relevant standards

Threat model for your industry and company size

Strategy

Prioritize actions based on impact and effort

Roadmap with clear responsibilities

Budget and Resource Planning

Implementation

Support with technical implementation

Regular reviews and progress tracking

Documentation for compliance verification

Risk Matrix: Probability × Severity Typical SME Risk Profile

High Medium Low

Low Medium High Very high

probability

Ransomware attackCritical

CEO Fraud / BECCritical

Backup failureHigh

Insider threatHigh

PhishingMedium

Patch backlogLow

Do you know your three biggest security risks?

During our initial consultation, we will provide a detailed assessment of your risk profile.

Schedule an initial consultation

02 Procedure

From the first conversation to measurable improvement.

Security consulting isn't a one-time project. We take an iterative approach: analyze, prioritize, implement, and measure. Then we start all over again.

Consultation Process

Initial consultation and assessment

We understand your IT environment, industry, regulatory requirements, and existing security measures. No questionnaire—just a real conversation with an experienced security consultant.

1–2 hours

Risk Analysis and Gap Assessment

We conduct a structured assessment of your risk profile based on the standards relevant to your organization (NIS2, ISO 27001, BSI Basic Protection). The result: a clear overview of your vulnerabilities, ranked by criticality.

1–2 weeks

Strategy and Action Plan

Not a list of 40 items, but a prioritized plan: what comes first, why, how much effort it will take, and what the impact will be. It includes a roadmap, assigned responsibilities, and a realistic timeline.

1 week

Implementation support

We provide technical and organizational support throughout the implementation process. Whether it’s setting up an ISMS, developing a contingency plan, or configuring technical systems, we stay involved until everything is up and running—not just until the report is delivered.

By Scope

Review and Further Development

Security is not a static state, but a process. Regular reviews measure progress, identify new risks, and adapt the roadmap to changing requirements.

Quarterly

Both managing directors are certified NIS2 consultants.

Talk to an expert directly about your risk profile.

Schedule an initial consultation

Why ITanic

Consulting that doesn't end once the report is delivered.

The difference between a good recommendation and a genuine improvement in security is implementation. We support both.

Certified NIS2 consultants. Not just in theory.

Both managing directors hold the official NIS2 consultant certification. We are one of the few providers in Austria to offer this combination of certification and technical implementation expertise.

Three measures instead of thirty.

We’ll tell you exactly which measures will have the greatest impact. Not a 60-page report with no clear focus, but clear, actionable insights that your management team will understand right away.

We deliver results, not recommendations.

Consulting and implementation from a single source. Technical configurations, ISMS documentation, emergency plans: we stay with you until everything is up and running—not just until the report is delivered.

Austrian context. Not a translated checklist.

NIS2 implementation in Austria, Austrian data protection law, local government structures. Consulting that truly understands your regulatory context.

FAQ

Your questions about security consulting.

Scope and Procedure

For what size of business is this consulting service suitable?

Our consulting services are tailored to small and medium-sized enterprises (SMEs), typically those with 20 or more employees. We work across a range of industries, with a particular focus on companies that are subject to NIS2 or are preparing for ISO 27001 certification.

How much does a risk analysis cost?

That depends on the scope: the size of the company, the number of locations, the complexity of the IT landscape, and regulatory requirements. Risk analyses for SMEs can typically be structured as fixed-price projects. We’ll provide a specific assessment during our initial consultation.

Is your consulting service different from a traditional IT audit?

Yes, fundamentally. A traditional audit provides a snapshot and a report. We analyze, prioritize, and support the implementation. Our goal is not the report itself, but the actual improvement of your company’s security posture.

NIS2 and Compliance

Are you really certified NIS2 consultants?

Yes. Both managing directors at ITanic hold the official NIS2 consultant certification. We assist companies with gap analysis, action planning, documentation, and audit preparation for NIS2 compliance.

Do you also assist with ISO 27001 certification?

Yes. We provide support for setting up an ISMS in accordance with ISO 27001: from gap analysis and policy development to documentation and preparation for the external certification audit. We do not conduct the certification audit ourselves; that is handled by an accredited certification body.

Emergency planning

What does a ransomware emergency plan include?

A comprehensive ransomware contingency plan specifies: who does what in the first few minutes and hours, which systems are to be isolated immediately, how internal and external communication is to be handled, how backups are to be restored, and which authorities must be notified. It is documented in writing, discussed with all stakeholders, and, if desired, tested through a drill.

How often should an emergency plan be reviewed and tested?

At least once a year, or whenever there are significant changes to the IT environment. A plan that has never been tested is not a plan, but merely a document. We recommend conducting an annual tabletop exercise in which those responsible work through a simulated emergency scenario together—without the actual stress, but with real-world decisions.

Next step

Understanding the risks is the first step. Now check whether they can actually be exploited.

View security tests

Know what to do. And do it.

Talk to a certified NIS2 consultant about your risk profile. No obligation—get real insights instead of just a quote.

Schedule an initial consultation +43 664 252 0495

Free and with no obligation

Certified NIS2 Consultants

Consulting and implementation from a single source