“Now he’s completely lost it” is probably what a regular reader might think. After all, I use plain text (Markdown) as the “single source of truth”1 in my document workflow,2 and now I want proper charts for visualization. Not ASCII bars. Actual pie charts. The kind managers and decision-makers expect. That sounds like a fundamental contradiction. I would argue it is not. In fact, I solved it in a clean way. Read more

Epyy is the name of the new icon and mascot of my open ISMS document workflow on Codeberg.1 The name comes from the Greek ἐπισκοπεῖν (episkopeîn), which translates to inspect or monitor. Think of it as a friendly, and more importantly “living”, document that guides you through the ISO 27001 and TISAX maze. The ISMS workflow is free and open source. If you need professional support or custom adjustments, feel free to reach out. PRs are welcome! Read more

Over the past few days, I once again disappeared down the proverbial rabbit hole. But let’s start from the beginning. On Saturday, I wrote a blog post to outline an automated and deterministic document workflow.1 To make it easier to follow, I also set up a Codeberg repository.2 The feedback was unexpectedly overwhelming and raised many valid points. The repository itself had been put together quickly rather than thoroughly, so I ended up revising it significantly and renaming it in the process. It is no longer just a demo. It now represents a complete, highly flexible, and at the same time very simple document workflow. Read more

Over the weekend, I published a sample repository on Codeberg.1 It proposes treating ISMS documentation like code. The concrete example is an ISO 27001 risk assessment for organizational assets. The focus is less on the document itself and more on the underlying concept. Everything is written in a universal, text-only format that will still be editable in any editor 50 years from now: Markdown.2 Markdown comes with a few practical advantages: Read more

The BSI report for 2025 (as of October 2025) is out.1 There is not much fundamentally new. Here the key points, with some context: The threat level remains high and stable.2 Misconfiguration of systems and software jumped from 28% in the previous period to 44%.3 Web-facing attack surfaces are in a “concerning state”.4 The scope includes all reachable IPs under .de domains. EDR and similar security tools do not provide sufficient protection. They remain ineffective against common attack patterns and can be bypassed with so-called EDR killers, according to Heise.5 Small and medium-sized businesses are increasingly targeted by ransomware groups. The report calls this a “fundamental misjudgment” of risk by those in charge.6 Questionable self-praise This is also typical for the BSI: Self-praise about supposed wins against international cybercrime and improved protection of critical infrastructure. That sounds odd when the same report states:7 Read more

For many, AI is the great promise for salvation. More efficiency, more ease, more future. Everyone is talking about it, so it must be true. And so many are jumping on the bandwagon, which, from the external perspective, appears to be a big party.My impression is that the discussion in medium-sized companies tends to focus more on opportunities and less on realities. There is a lack of honest assessment of the situation. And by that I don’t just mean the technology, but above all the non-technical governance. Read more

The foundation of every ISMS is a “living” inventory. In an ideal world, this communicates with the Ansible, Bash or PowerShell scripts within IT Operations. Snipe-IT, which I value and have successfully used for many years, was unknown to c’t up until now. Enjoy the read (in German): “IT-Assets im Griff” in der c’t Ausgabe 7/2021.

Home Office Workstations - Introduction How to integrate a corporate home office securely? And preferably also in a cost-effective, transparent and sustainable way! Some people might have been busy on this question due to Corona lockdown. As an external contractor, I used to stand at the sideline more than once and looked into the big arena of swarm idiocy1 and stupidity2. With this picture in mind, I’m launching a new blog series describing what I think a home office workplace for small and medium-sized businesses should look like. As always: No solution fits every use case universally. Your mileage may vary and of course the remark: I am buyable for exactly such challanges. Read more