Skip to content

Services, Wiki-Artikel und Blog-Beiträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

DIN SPEC 27076 · BSI Standard

BSI CyberRisikoCheck
per DIN SPEC 27076

The state-supported IT security check for SMEs. In a structured interview with 27 questions we assess your current security level - and show where your organisation needs to act immediately.

Request a free check +49 209 8830 6760
BSI CyberRisikoCheck authorised AZAV-certified consultant Results within 1 week SMEs < 50 employees

CyberRisikoCheck

per DIN SPEC 27076

  • Standardised 27-question interview
  • 6 IT security topic areas
  • Individual risk report
  • Prioritised action recommendations
  • Up to 50% subsidy possible
  • Completed within half a day

Certification

AZAV-certified consultant

Subsidisable consulting services

Trusted by our clients

Assessment questions per DIN SPEC 27076
27
Topic areas
6
Subsidy possible
50%
Duration
½ day

The Standard

What is the BSI CyberRisikoCheck?

The CyberRisikoCheck is a procedure developed by Germany's Federal Office for Information Security (BSI) and standardised through DIN SPEC 27076. It was designed specifically for small and medium-sized organisations that do not have their own IT security department.

At its core, the check consists of a structured interview with 27 questions, conducted with you and your IT responsible. Deep technical prior knowledge is not required - the questions are formulated in a practical and understandable way.

The result is an individual risk report showing your current security level across six topic areas with concrete, prioritised recommendations. Not abstract concepts - but a clear plan of what to do next.

Standardised per DIN SPEC 27076

DIN SPEC 27076 defines the exact process, the 27 questions, and the assessment methodology. As an authorised consultant we conduct the check to this uniform standard - comparable, transparent, and recognised.

Subsidisable consulting

As an AZAV-certified consultant we review your individual funding options. Regional digitalisation grants and state programmes can significantly reduce costs. We advise you on eligibility free of charge.

Immediately actionable results

You receive not generic security advice, but a prioritised action plan for your organisation. We distinguish quick wins that can be implemented immediately from strategic measures with a medium-term horizon.

The Structure

The 6 Topic Areas of the CyberRisikoCheck

The 27 questions of DIN SPEC 27076 are structured across six topic areas covering the most important IT security domains for SMEs.

01

Organisation & Processes

How is information security organised in your company? Are responsibilities, policies, and emergency plans in place? This area covers the foundation of every IT security strategy.

02

Identity & Access Management

Who has access to which systems and data? Are password policies and multi-factor authentication in use? Unauthorised access is one of the most common entry points for cyber attacks.

03

Data Backup

Are your data backed up regularly? Is restoration guaranteed in an emergency? Without a functioning backup concept, a ransomware attack can permanently cripple operations.

04

Patch Management

Are operating systems and software updated promptly? Structured patch management closes known vulnerabilities before attackers can exploit them.

05

Malware Protection

Are endpoints and servers protected by up-to-date antivirus and endpoint detection? Are systems monitored for unusual behaviour? Malware is involved in 6 out of 10 attacks.

06

IT Systems & Networks

Are your networks segmented and protected by firewalls? Is there an up-to-date inventory of all IT systems? A complete overview of your IT landscape is a prerequisite for any security strategy.

Our approach

From enquiry to risk report in one week

The CyberRisikoCheck is deliberately lean and efficient. No weeks-long process - quickly and easily you receive clear insights about your security posture.

01

Initial consultation & scheduling

In a brief initial call (approx. 30 minutes, by phone or video conference) we clarify the framework conditions, answer your questions, and schedule the interview appointment. No engagement without complete information.

30 min.
02

Structured interview - on-site or remote

A certified AWARE7 consultant conducts the standardised interview with 27 questions - in your infrastructure or via video call. Participants should include management and IT responsible persons. The interview takes approx. 2-4 hours.

½ day
03

Analysis & risk report

We analyse the responses systematically per DIN SPEC 27076 and create your individual risk report. This shows the fulfilment level per topic area, identified risks by criticality, and a consolidated overall assessment.

3-5 days
04

Results presentation & recommendations

In a joint results presentation we explain your risk profiles and provide prioritised, actionable recommendations. You receive a clear roadmap - what to do immediately, and what to address in the medium term.

1-2 hrs.

Referenzen aus der Praxis

Beratung Informationssicherheit

brainbits GmbH

Ausbau und Begleitung des ISMS zur ISO 27001 Zertifizierung

9

Monate bis zur Zertifizierungsreife

70

Mitarbeitende im Team

Pentesting & Schwachstellenscans

Institut für Verwaltungswissenschaften gGmbH

Externe Schwachstellenanalyse

Why AWARE7 for the CyberRisikoCheck

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

FAQ

Frequently asked questions about the CyberRisikoCheck

Questions about the process, subsidies, or results? Find answers to the most common questions here.

The BSI CyberRisikoCheck is a standardised procedure per DIN SPEC 27076, developed specifically for small and medium-sized enterprises (SMEs) with up to 50 employees. In a structured interview with 27 questions, the IT security level is assessed across 6 topic areas. The result is an individual risk report with prioritised recommendations. The check is deliberately low-threshold - without deep prior knowledge your company can find out where it stands in IT security.
As an AZAV-certified training provider, our consulting services can be subsidised through various funding channels. Depending on the federal state and company size, regional funding programmes, digitalisation grants, and the Qualification Opportunities Act (Qualifizierungschancengesetz) are available. We assess your individual eligibility for funding free of charge in the initial consultation.
Yes, fundamentally. A penetration test is a technical security assessment in which real attacks on your systems are simulated. The CyberRisikoCheck, by contrast, is an organisational interview procedure: no systems are attacked, no ports are scanned. It assesses whether the most important IT security measures are fundamentally in place and organisationally embedded. The check is ideal as a first step - the penetration test as a more in-depth measure afterwards.
You receive a structured risk report with your security level per topic area and concrete recommendations for action. Many organisations use this report as a basis for the next discussion with management or the supervisory board. On request, we accompany you in implementing the measures - from simple quick wins through to building a complete ISMS per ISO 27001.
The structured interview typically takes 2-4 hours. You should plan for half a day in total. Ideally, management and those responsible for IT should participate. Deep technical knowledge is not required - the questions are formulated in a practical and understandable way. After the interview we require 3-5 working days for analysis and preparation of the risk report.
The CyberRisikoCheck is designed specifically for SMEs, which are typically not directly affected by NIS-2. It is an excellent starting point for establishing basic IT security measures. For organisations that actually fall under the NIS-2 Directive, we additionally recommend our NIS-2 consulting and the construction of an ISO-27001-compliant ISMS. Contact us - together we will find the right approach for your starting position.

Aus dem Blog

Weiterführende Artikel

Ready to find out where you stand?

Discover in half a day where your organisation really stands in IT security - structured, standardised per DIN SPEC 27076, and with up to 50% state subsidy.

Request a free check

Kostenlos · 30 Minuten · Unverbindlich