Questions? Answers.

Athereon GRC is suitable for companies of all sizes and industries. We offer tailored solutions and extensive experience across various sectors.

Athereon GRC is standards-open and supports a wide range of standards and frameworks, including ISO 27001, ISO 31000, BSI IT-Grundschutz and many more. You can also integrate your own customer frameworks. If you require a specific industry standard that we don't yet support, we'll be happy to implement it for you at short notice.

Our offering is modular, allowing you to customize the solution that's right for you. Prices are based on company size classes (S, M, L, XL), to which your organization is assigned based on its size, number of locations, and regulatory area. Our sales team is happy to provide you with an initial cost estimate or a binding quote.

‍

Our professional services such as training, customer success management, migration support and individual customizations perfectly complement our software offering.

An ISMS is required by any organization that processes, stores, or transmits confidential, sensitive or business-critical information. This applies not only to large companies, but also to small and medium-sized businesses that need to protect the data of their customers, employees or partners.

‍

In today's data-driven world, an ISMS makes sense for almost all companies. Some particularly safety-critical sectors and industries with globally interconnected supply chains are even required by regulations to implement and operate an ISMS and are regularly monitored by external auditors.

An ISMS must be structured and documented, clearly and comprehensibly describing an organization's security processes and measures. It is important that the ISMS not only exists in theory, but is actively implemented in practice and continuously monitored.

An ISMS can be managed in various forms, depending on the standards or norms the organization adheres to. Implementation is carried out with the help of consulting firms or in the form of a specialized software solution such as Athereon GRC.

An ISMS certification is formal proof that a company has successfully implemented an ISMS and is operating it in accordance with recognized standards, such as ISO 27001. Through this certification, an independent certification body confirms that the company's ISMS meets the requirements of the standard and functions effectively.

‍

ISMS certification helps companies gain the trust of customers, partners and authorities by demonstrating that the organization bases its information security processes on internationally recognized standards. It also ensures that the company actively monitors and continuously improves data security.

Athereon GRC pursues a fresh, modern ISMS implementation approach and offers all the software tools needed to fully implement an ISMS and operate it long-term in your own ISMS compliance cockpit. You receive support through numerous workflows. Because Athereon GRC operationalizes the ISMS and its requirements and automates documentation, our customers are highly satisfied with the long-term total cost of ownership of their ISMS implementation. The low cost of long-term operation of the ISMS is particularly appreciated.

Data protection management covers all measures companies take to ensure the protection of personal data and comply with the requirements of the GDPR and the revised Data Protection Act. This includes the systematic collection, organization, storage and deletion of data, as well as employee training and the implementation of technical and organizational security measures. The goal is to prevent data protection violations, protect the rights of data subjects and create trust in the responsible handling of data.

Athereon GRC is your comprehensive data protection management software that supports you in complying with all legal requirements such as GDPR. Athereon GRC offers transparent processes, efficient risk management and easy integration into existing systems. It also makes it incredibly easy to generate all reports for your stakeholders.

Athereon GRC supports you with a wide range of functions, including maintaining a register of processing activities (RoPA) in accordance with Art. 30 GDPR (General Data Protection Regulation). The software guides you through all relevant questions relating to data processing in your organization, allowing you to efficiently comply with data protection requirements and minimize liability risks. Thanks to automated workflows, predefined report templates and real-time overview, you can keep an eye on your data protection processes at all times.

Business continuity management (BCM) deals with the resilience of organizations.

A BCM is necessary to maintain operational capability even in crises. Regardless of size or industry, any company can be affected by unexpected events that could disrupt business operations—such as natural disasters, technical malfunctions, cyberattacks, or pandemic-related outages. Therefore, all companies that want to ensure they can continue operating even in difficult times need a BCM.

‍

A BCM is therefore not only useful for many companies, but is often also a regulatory requirement in safety-critical sectors and industries. Stricter regulations such as DORA, NIS2, or new ISMS generations require the implementation and operation of a BCM, which is regularly monitored by external audit bodies.

‍

A BCM must be well-structured and documented, clearly defining how the organization responds to crises and emergencies and ensures its operational capability. It must be regularly reviewed, practiced, and adapted to new threats or changes within the company. The latest generation of ISMS standards, such as VDA TISAX® 6.1 or ISO 27001:2024, have made BCM even more relevant. The ISO 22301 and BSI 200-4 standards provide excellent international templates for developing a BCM.

‍

The key components of reliable business continuity management include a documented BCM policy, a business impact analysis ( BIA ), risk management and assessment, contingency plans and recovery strategies, training and awareness strategies, testing and exercises, and ensuring continuous improvement. With an Athereon GRC solution, all of these elements are configurable and accessible on a single platform.

A BCM certification is formal proof that a company has successfully implemented a BCM system and is operating it according to recognized standards, such as ISO 22301. Through this certification, an independent certification body confirms that the company's BCM meets the requirements of the standard and functions effectively.

‍

BCM certification helps companies gain the trust of customers, partners, and authorities by demonstrating that they have set up their business processes with their business-critical risks in mind. It also ensures that the company can respond to incidents in a structured manner and continuously improve as an organization.

‍

Enterprise risk management (ERM) is a holistic approach that systematically identifies, assesses, and manages all of a company's risks—from financial to operational, strategic, and compliance risks. The goal is to identify potential threats early and proactively manage them to achieve corporate goals and ensure long-term success.

With Athereon GRC's risk management module, you gain a complete overview of your corporate risks and can efficiently assess and manage them to make informed decisions and comply with legal requirements. This minimizes potential threats and lays the foundation for sustainable corporate success.

Athereon GRC supports all common frameworks such as ISO 31000, IDW PS 340, ISO 27005, and BSI 200-3. This allows you to easily adapt your risk management to established standards and ensure compliance with relevant regulations.

Athereon GRC offers fully integrated, cross-domain risk management. The end-to-end risk workflow maps the entire risk lifecycle and offers the appropriate functionality for every phase of the risk process. This allows you to establish interdisciplinary, enterprise-wide risk management.

The second version of the Network and Information Security Directive, or NIS2 for short, aims to strengthen the cyber resilience of critical and important infrastructures in both the public and private sectors within the EU. More specifically, the updated directive includes stricter measures and reporting obligations for IT security incidents for numerous companies.

‍

Since October 17, 2024, the EU-wide obligation for member states to implement the new NIS 2 Directive through national law has been in effect. Due to the coalition collapse in November 2024, legal implementation in Germany has been delayed. A specific date for the entry into force of a corresponding law in Germany is currently unknown, but is expected soon.

The new directive affects significantly more industries and companies than the first EU directive on network and information security. Companies are also responsible for independently determining whether they are affected by NIS2.

‍

The majority are medium-sized and large companies. You can find out exactly which industries are affected and which of the two new categories they belong to in our blog post on NIS2. The BSI (Federal Office for Information Security) also offers a practical assessment with questions to help you find out if you are affected and if so, to further classify your company.

Important additions to NIS2 include severe penalties for violations and the stricter deadlines and requirements for reporting IT security incidents. Three time frames have been established, within which there are specific documentation requirements.

‍

You can find out exactly what needs to be done in the event of an IT security incident and how much time your company has to do so in our blog post on NIS2.

ISO 27001 certification offers numerous advantages that can be extremely beneficial for organizations. Meeting the ISO 27001 requirement is proof of high-quality information security within your company and the reliable handling of information. Certification therefore strengthens the trust of customers and partners and can thus provide a competitive advantage. The (re)certification process promotes continuous improvement in security practices and strengthens defenses against cyberattacks.

Yes, ISO 27001 is also suitable for small businesses. The standard provides a flexible framework that can be adapted to the specific needs and resources of smaller organizations. By implementing ISO 27001, small businesses can improve their information security, build customer and partner trust, and better protect themselves against cyber threats. Certification also helps them meet regulatory requirements and stand out from competition. While implementation may seem challenging at first, small businesses benefit in the long run from a structured approach to information security.

The main difference between the international ISO 27001 and the German IT-Grundschutz lies in their approach and structure. Both have their own advantages and can be chosen depending on an organization's needs and objectives. With Athereon GRC, it's easy to represent the many overlaps and meet the requirements of both frameworks in parallel.

Athereon GRC maps all ISO 27001 requirements in guided sections, allowing users to edit each requirement individually, create tickets, or link documentation. The integrated cockpit and versatile tools enable complete mapping of all requirements—without additional software. Thanks to flexible interfaces, Athereon GRC can be seamlessly integrated into your existing IT landscape.

TISAX® ( Trusted Information Security Assessment Exchange ) is an information security assessment process specifically developed for the automotive industry. Obtaining the TISAX® label allows companies to confirm their information security standards, strengthening trust between business partners. The process is based on the requirements of the ENX Association and promotes the secure exchange of information throughout the supply chain. A valid TISAX® label is often a prerequisite for collaboration with automotive manufacturers and suppliers.

TISAX® requirements cover various aspects of information security, focusing on the protection of sensitive data and risk assessment. Similar to ISO 27001, companies must implement an information security management system ( ISMS ) to identify, assess, and manage risks. TISAX® includes three different levels of protection, called assessment levels.

The ENX Association offers a comprehensive TISAX® Participant Handbook with all further information.

In general, a granted TISAX® label is valid for three years. After this period, a reassessment must be conducted to ensure continued compliance with information security requirements. During the validity period, regular reviews or follow-up audits may be required to ensure that security standards are maintained.

Athereon GRC maps all VDA TISAX® requirements in guided sections, allowing users to process each requirement individually, create tickets, or automate evidence. All requirements can be mapped separately in a granular and modular manner for different scopes (such as legal entities or plants), so that even large companies always maintain an overview. Thanks to flexible interfaces, Athereon GRC can be seamlessly integrated into your existing IT landscape. With Athereon GRC, you do not need any additional software for your ISMS according to TISAX®.

The DORA Regulation ( Digital Operational Resilience Act ) is a set of comprehensive requirements for digital operational resilience for the entire financial sector established by the European Union. The regulation has been applicable in Germany since January 17, 2025.

The Supervisory Requirements for IT in Financial Institutions ( BAIT ), previously binding in Germany and issued by the Federal Financial Supervisory Authority, were largely replaced by the EU-wide DORA Regulation in January 2025. The transition period for financial institutions subsequently added to DORA expires on January 1, 2027, making DORA the primary requirement catalogue for affected organizations.

The DORA Regulation affects all financial institutions in the European Economic Area. These include, among others, credit and payment institutions, insurance companies and intermediaries, and investment firms. It also includes account information service providers, e-money institutions, providers of crypto services, management companies, rating agencies, securitization registers, institutions for occupational pensions, and many other companies. The DORA Regulation also partially affects the IT service providers (e.g., cloud service providers) of these companies. The DORA requirements apply to more than 22,000 organizations across the EU.

Athereon GRC provides comprehensive support for your company in implementing DORA requirements. Our platform offers integrated modules for various GRC areas, including ISMS according to DORA:

• ICT risk management: Identification and assessment of ICT-related risks according to a standardized risk management process. Linking to assets, vulnerabilities, and mitigations via central control system.
• Incident management: Documentation, classification, and processing of security incidents including escalation mechanisms, root cause analysis, and reporting functions.
• Resilience and continuity management: Mapping of BCM processes to ensure critical business processes and emergency procedures according to ISO 22301.
• Third-party management: Integration of service providers into the risk and control system, including evaluation and monitoring of outsourced ICT services.
• Auditability and governance: Audit-proof documentation, management-level reporting, audit trails, and support in preparing DORA-compliant reports for regulatory authorities.

Athereon GRC's flexible configurability enables customized mapping of your governance structures and a consistent control framework to ensure digital operational stability in accordance with DORA.