Interactive Process Management with Q.wiki
The ISMS module combines information security with what every company already knows: its business processes. Security objectives, assets, and risks are derived directly from the process context—no starting point via abstract lists or blanket-checked controls. Confidentiality and integrity follow from the information, availability from the business process. This creates an ISMS that is not only audit-ready but actually works in everyday practice.
Companies know they need to take action—but they don’t know where to begin. Assets? Risks? Measures? Systems? The lack of a clear sequence wastes time and energy.
The first instinct is to turn to firewalls, backups, and access rights. But the real question is a business one—and that usually remains unanswered.
IT, line departments, and management don’t speak the same language. Everyone sees a different part of the picture—a consistent overall view never emerges.
Security measures are implemented across the board—regardless of whether an asset is business-critical or processes sensitive information. The result: effort without impact.
Word, Excel, shared drives, various tools. Requirements, assets, and documentation are scattered everywhere—the big picture is lost, and maintenance becomes a burden.
Anyone who assesses risks without understanding the business perspective overlooks the essentials. Not all critical processes are known—and not all known risks are truly relevant.
No knee-jerk reactions, no loose lists of measures—but a methodology that starts where business value is created: with your processes. Each step builds on the previous one and guides your company from an initial overview to a well-founded risk decision.
Book a free product demoWhat happens in your company on a daily basis? The processes you’re already familiar with form the methodological foundation of the ISMS—right where business value is created.
What data do we process, and which parts of it are worth protecting? Information is evaluated where it is generated—not in isolation in a central list that no one maintains.
Confidentiality and integrity stem from the information itself. Availability stems from the process—through a business impact analysis conducted by the process owners themselves, not by IT.
Systems, devices, and people are treated as resources of a business process—not as isolated items in an IT inventory. The need for protection arises directly from the context.
With a clear line of reasoning: business process → information → asset → specific threat. Measures are implemented specifically where business impact and risk justify them.
Companies, consultants, and auditors—they all use the framework. Here, they explain what it means in practice to systematically build information security in alignment with business processes.
“As a lead auditor, I see many ISMS implementations—often cobbled together from various tools and approaches. Q.wiki’s approach takes a different path: The linking of business processes, security objectives, and IT assets follows a well-thought-out logic that I consider a comprehensive and coherent solution based on the combination of ISO 9001 and 27001."
"For years, I have been using Q.wiki to systematically set up information security management systems (ISMS) for clients. Until now, we’ve managed assets, risks, and measures in a separate section—the new ISMS module integrates exactly this content directly into the process logic: security objectives are assessed based on business processes and automatically applied to IT assets and suppliers. This is the step we’ve been waiting for."
“We have been closely involved in the development of the ISMS module from the very beginning and were able to directly contribute methodological approaches and practical requirements. This gives us, for the first time, the opportunity to embed a consulting approach to information security in a software solution in a sustainable and scalable way. What is particularly compelling to us is that the information security management system can be seamlessly and fully integrated with existing management systems—thereby ensuring greater clarity, less friction, and truly effective information security in day-to-day operations.”
"This module, designed to complement our existing management system, is an excellent addition to an integrated management system that incorporates information security. It seamlessly combines the requirements of ISO 27001 and NIS 2, giving us a centralized overview of critical assets, processes, risks, and supply chains. The structured approach makes it easy to understand the interconnections. Finally, we can focus on what really matters. This turns an obligation into a natural part of our daily practice."
“I first encountered Q.wiki’s ISMS module as a prototype during an audit and evaluated it in that context. I was particularly impressed by the consistently process-oriented approach: Instead of fragmented, isolated solutions, a consistent, verifiable system emerges that can close the gap in the structure of most ISMS systems. Business processes are linked in a structured manner, protection objectives—including BIA—are derived in a traceable way and applied to IT assets; risks and measures are systematically assessed and consolidated at the process level.”
“We’ve been building ISMS systems with Q.wiki for years—because the process logic just makes perfect sense throughout. We were able to actively help design the prototype and even put the module to the test right away during our first audit with a client. The fact that our feedback is now included in the new release makes us a little proud.”
No more standalone tools, no more isolated solutions. The ISMS module builds on what your company is already familiar with—making information security a natural extension of your daily work.
Information security doesn’t start with a firewall—it starts with what your company does every day. In the ISMS module, processes, information, and security requirements are directly linked. No abstract asset chaos—just a clear picture that everyone in the company can understand.
The benefit for you: Business units, IT, and management are finally speaking the same language.
Assets are not recorded as isolated objects, but as resources of a specific business process. Protection needs arise directly from the context—not from a blanket list that no one keeps up to date.
Your benefit: Annex A audits only where business impact and risk truly justify them.
The reasoning is always transparent: business process → information → asset → specific threat. Measures are prioritized and assigned clear responsibilities—not just checked off as a mandatory task.
Your benefit: A risk profile that is justifiable from a business perspective—and that also convinces auditors.
What is already documented in quality management becomes the direct foundation of the ISMS. Processes, responsibilities, knowledge—maintained once, used twice. No media discontinuity, no duplication of effort.
Your advantage: Two standards, one system, a common control logic.
No. The module is intentionally built on Q.wiki—because its true value lies in the integration of process management and information security. Without this foundation, it would be just another standalone tool among many.
Pure ISMS providers offer a standalone tool that operates alongside your existing organization. The ISMS module builds on what your company already knows and practices: business processes, responsibilities, and knowledge. No duplication of effort, no disruption.
No. The framework systematically guides users through business processes to familiarize them with the standard—no prior knowledge required. The onboarding process is intentionally designed to be accessible to everyone.
Yes. NIS 2 requirements can be documented in parallel with and independently of ISO 27001 and linked to existing measures—thereby avoiding duplication of effort.
Yes. You can import data via CSV or the REST API. There is no need to manually re-enter existing inventory items.
The framework was developed in collaboration with ISMS consultants and auditors—whose expertise has been directly incorporated into the methodology. Specialized consultants are available through the partner network. This saves time—both during implementation and throughout the certification process.
For medium-sized companies looking to implement or recertify ISO 27001—especially if they already have a quality management system (ISO 9001) in place or if NIS 2 requirements apply.
Simply visualize processes using the standardized BPMN 2.0 notation.
Implement all relevant standard requirements digitally and easily — regardless of whether ISO 9001, ISO 14001, etc.
Here you can find all the modules we offer. Just click through.
We are happy to provide you with inspiring content, current events and news.
