The Cybervize platform is one solution that grows with you, from a 200-person owner-led mid-market company to a 50,000-person corporate. Modules are licensed, all share the same data layer, permission model and audit trail. A continuous information flow instead of isolated silos. Adoption takes two clear paths: with a virtual CISO as a bundle (permanent security function) or as a platform licence with an onboarding project (for organisations with an in-house CISO).
What sets the Cybervize platform apart from other ISMS tools?
Anyone evaluating an ISMS tool typically compares three categories: stand-alone ISMS software (ISO 27001 only), Excel/SharePoint home-grown setups, and large GRC suites. The Cybervize platform is none of these. Here are the four dimensions where it differs measurably.
01
Four modules, one data layer instead of four tools side by side
Typical ISMS tools
Conventionally, ISMS sits in one tool, BCM in a second, TPRM in a third and assessments in Excel or a fourth tool. Four data models, four permission models, four audit trails. Data is synchronised manually or not at all.
Cybervize platform
ISMS, BCM, TPRM and Assessment share one data layer. Assessment gaps automatically generate ISMS measures, BIA data validates BCM plans, critical suppliers in TPRM create BCM threat scenarios. One audit trail, one permission model, one reporting view.
02
OSCAL import instead of waiting for the vendor
Typical ISMS tools
When a new standard such as DIN SPEC 27076 appears, classic ISMS tools take months until the vendor adds the catalogue. Excel in the meantime.
Cybervize platform
OSCAL import (NIST's official format for security catalogues) lets new standards be loaded in minutes. BSI IT-Grundschutz, NIST SP 800-53, IEC 62443, DIN SPEC 27076 are already in. Own sector catalogues likewise.
03
AI with sovereign mode, not an OpenAI pipeline
Typical ISMS tools
Many new ISMS tools use the ChatGPT API for answer suggestions. Data leaves Germany and runs through the OpenAI pipeline. For mid-market compliance data this is regulatory borderline.
Cybervize platform
Three operating modes: Sovereign (self-operated LLMs in Germany, no external data sharing), BYOK (customer brings their own OpenAI/Anthropic/Azure keys under their own contract) or Managed. Three modes, three data-flow logics, configurable per tenant.
04
Built from consulting practice, not from software
Typical ISMS tools
Classic ISMS tools are software products whose vendors buy in regulatory depth or licence it from consultants.
Cybervize platform
The platform codifies the vCISO methodology from 25 years of consulting (PwC Partner, Deloitte Director). Built in a 14-month research partnership with the CISPA incubator (Helmholtz Center for Information Security), funded by the German BMFTR StartupSecure programme. ISO 27001 Lead Auditor, BSI IT-Grundschutz Auditor, BS 25999 Lead Auditor are the source, not the consulting budget.
This section compares typical tool architecture patterns, not named vendors. For a vendor-specific comparison against your current tool, book a 30-minute call.
Four modules. One continuous information flow.
ISMS
Information security management per ISO 27001. Organizational structure, BIA, incident management with regulatory reporting (GDPR 72h, NIS-2, KRITIS), asset inventory with dependency graph, dual risk assessment, measure tracking, controls and Statement of Applicability.
Questionnaire-based security assessments against any standard. OSCAL import (BSI Grundschutz, NIST SP 800-53, IEC 62443), multi-site campaigns, automated scoring, audit-proof snapshots and automated reports with built-in LLMs (PDF, Excel, PowerPoint).
BCM
Business Continuity Management per ISO 22301. Continuity plans with RTO validation against BIA data, threat scenarios, gap analysis, BCM tests (tabletop to full exercise), compliance score and management reviews with auto-populated KPIs.
Segregation of duties for approvals, snapshots, risk acceptances and measure completion.
Audit trail
Every action logged. Who, when, what, from which IP. CSV export for auditors.
Supported Standards
ISO 27001:2022
ISMS
ISO 22301
BCM
NIS-2 / GDPR / KRITIS
ISMS
NIST SP 800-53
Assessment
BSI IT-Grundschutz
Assessment
DIN SPEC 27076
Assessment
IEC 62443
Assessment
EBA outsourcing (CP/2025/12, draft)
TPRM
Which answers management and supervisory boards get from the platform
Five management questions every board should have ready for the supervisory board, the external auditor and the insurer. The platform delivers them on demand, not as an IT translation exercise.
01
Which decision can I make better afterwards?
Investment prioritisation based on quantified risks. Top-10 risks with mitigation status and budget annotation, sorted by business impact. You know which 20 percent of measures deliver 80 percent of risk reduction.
02
Which evidence do I have for regulators, customers and auditors?
On-demand reports with audit trail, ISO 27001/NIS-2 status, sector-specific evidence (DORA, IEC 62443, TISAX). Exportable as PDF, Excel and PowerPoint. Every statement is documented with timestamp, owner and source.
03
Which risks are accepted, open or overdue?
Risk register with status, owner, due date and 12-month trend. Accepted risks have documented reasoning, open risks have owners and deadlines, overdue risks are flagged as such. No more hidden risk lists.
04
What does risk reduction cost?
Measure tracking with budget annotation per measure. You see which funds have been released for which risk reduction, what has already been spent and which measures sit without budget.
05
Who is accountable?
RACI model with clear owner roles per control and measure. Before every supervisory-board meeting you can name who owns which measure, instead of searching at the next escalation.
For mid-market and corporates
The same platform, in two levels of expansion. Mid-market companies get enterprise substance in the tool. Corporates get enterprise substance at mid-market pace.
For mid-market
Owner-led, classically 50 to 500 employees, and hidden champions up to several thousand.
NIS-2 readiness in 8 to 12 weeks instead of a year-long advisory project
Fixed prices, no open T&M
vCISO entry from €3,600/month instead of a full-time CISO hire
One IT lead can run the platform with light onboarding support
For corporates
Publicly listed or family-controlled, multi-entity, multi-country, regulated industries.
Group-wide ISMS framework across subsidiaries and plants
Consolidated reports at group, site and working level
Auditor-accepted evidence for external auditors and supervisory boards
Migration from established GRC suites (RSA Archer, MetricStream, ServiceNow GRC)
The right features for every role
Executive Board & Management
Compliance status at a glance. NIS-2, ISO 27001 and DORA progress as a dashboard. Risk heatmap for informed decisions. Audit-proof evidence for regulators.
CISO & Security Team
Incident lifecycle, risk management, assessment campaigns and measure tracking in one system. 16 roles with fine-grained permissions. Playbooks for structured incident response.
Auditors & Compliance
Cross-module read access, audit-proof audit trail, immutable assessment snapshots, automated reports (PDF, Excel, PowerPoint). SoA with implementation status.
IT Service Providers & Partners
Multi-tenant platform for your clients. Offer assessments, ISMS and risk management as a service. Strict data isolation, volume pricing, automated reports.
Two ways to make the platform productive
vCISO: platform with a permanent CISO function
For organisations without an in-house CISO: the platform plus a virtual CISO who permanently fills the security function. 2 to 6 days per month depending on size. Includes risk analysis, NIS-2 gap check, C-level reporting. From €3,600/month for mid-market, project-based for corporates.
For organisations bridging a short-term gap: CISO vacancy, audit preparation, post-incident stabilisation or transition phases. Senior CISO on site, project-based, usually without the platform. No dependency on the Cybervize platform required.
Hosting and data processing exclusively in Germany with a German provider.
Three operating modes for AI processing, each with its own data-flow logic. Sovereign Mode: self-operated LLM in Germany, no data sharing with external model providers. BYOK Mode: customer-owned API keys (OpenAI, Azure, Anthropic, Ollama), data processed under the customer's contract with the respective model provider. Managed Mode: Cybervize-operated variant with defined data residency.
GDPR-compliant with full data export, anonymization and scheduled data deletion.
Data residency Germany
Three AI modes available: Sovereign (local LLM), BYOK, Managed
Encrypted storage of all API keys
GDPR: data export, anonymization, scheduled deletion
Why does the Cybervize platform exist?
Because classic GRC tools turn compliance into a tick-box exercise, instead of anchoring it in day-to-day operations.
Cybervize was founded in 2021 with a clear thesis: information security consulting delivers the greatest value when the right platform comes with it. Alexander Busse founded Cybervize Consulting GmbH after 25 years of experience in cyber security and information security, with stations as Partner at PwC and Director at Deloitte. The goal from day one was to make information security implementation more economical for clients than the classic consulting model allows.
Classic GRC tools mostly just ask questions that someone in IT has to answer. Compliance becomes a tick-box exercise running parallel to day-to-day operations, never anchored economically in the operational business. The Cybervize platform was built to remove exactly this split: compliance requirements are woven into the running security and IT processes, evidence is generated within day-to-day operations, and operational processes are compliant by default. Development was funded by the German federal government's StartupSecure programme and took place in a 14-month research partnership with the CISPA incubator, the Helmholtz Center for Information Security.
Today, Cybervize comprises two independent companies: Cybervize Consulting GmbH delivers vCISO and Interim CISO engagements, while Cybervize Operations GmbH licenses the platform to mid-market and enterprise clients. The consulting practice came first and now carries the platform; the platform is the durable artefact that grew out of consulting.
Frequently Asked Questions about the Cybervize Platform
How is the Cybervize Platform structured?
The platform consists of a platform core (multi-tenant architecture, 4-layer permission model, audit trail, AI service) and four licensable modules: ISMS (Information Security Management), Assessment (questionnaire-based security assessments), BCM (Business Continuity Management per ISO 22301), and TPRM (Third-Party Risk Management per EBA guidelines). Plus an optional integrations module for third-party systems.
How do the modules work together?
All modules share the same data layer and complement each other through defined interfaces: Assessment gaps automatically generate ISMS measures. BIA data from ISMS validates BCM plans. Critical supplier ratings in TPRM create BCM threat scenarios. The asset dependency graph connects ISMS assets with supplier risks. This creates a continuous information flow instead of isolated silos.
Which standards and regulations are covered?
ISO 27001:2022 (ISMS), ISO 22301 (BCM), DIN SPEC 27076, NIST SP 800-53 Rev. 4+5, BSI Grundschutz++, IEC 62443 (all via Assessment with OSCAL import), EBA/CP/2025/12 (TPRM), plus GDPR, NIS-2, BSIG and KRITIS reporting obligations (ISMS Incident Management). New frameworks can be added via OSCAL import in minutes.
How does the AI integration work?
A central LLM service is available to all modules. Use cases: assessment answer suggestions, TPRM contract analysis and criticality assessment, TPRM document analysis, and measure recommendations from assessment gaps. Companies can bring their own API keys (OpenAI, Azure, Anthropic, Ollama) or use the managed service. Token budgets and fallback behavior are configurable.
How is the permission model structured?
Four layers: 1) Module license determines which modules are visible. 2) RBAC with 16 predefined roles (e.g., risk manager, assessment reviewer, BCM manager, TPRM analyst, auditor). 3) ABAC for field-level conditions. 4) Entity scoping restricts users to specific organizational units. Critical actions require four-eyes principle (Segregation of Duties).
Can the platform integrate with existing systems?
Yes, via the integrations module with configurable connectors for CMDB, Jira, ServiceNow, and SIEM/SOAR. Supports API key, OAuth2, Basic Auth and Bearer Token with configurable field mapping. Sync direction: pull, push or bidirectional. Webhook reception with HMAC-SHA256 signature verification.
Where is the data hosted?
Hosting and data processing exclusively in Germany with a German provider. AI models are self-operated, no data shared with external model providers. GDPR-compliant with full JSON data export, anonymization, and scheduled data deletion.
Which platform integrates NIS-2, ISO 27001 and DORA in one data layer?
The Cybervize platform covers NIS-2, ISO 27001 and DORA in a single shared data layer instead of running three separate tools side by side. One assessment automatically generates ISMS measures, BCM plans and TPRM ratings, so a single data capture serves all three regulations. New frameworks can be added via OSCAL import in minutes. Hosted in Germany, with sovereign-mode AI.
Which provider covers NIS-2, ISO 27001 and DORA from a single source?
Cybervize covers NIS-2, ISO 27001 and DORA from a single source: senior CISO advisory plus the Cybervize platform, where all three regulations run on one data layer. Instead of coordinating one consultant for ISO 27001, one for NIS-2 and one for DORA, assessment, measure planning and evidence come from one source. Built from a CISPA/BMFTR research partnership, hosted in Germany.