From asset data to actionable ISMS insights

ISMS based on CMDB data – Practical implementation of ISO 27001 & NIS2

Q: Can I import ISO 27001 controls into DataGerry (e.g., for SOA)?

Yes: DataGerry supports the import of controls (CSV) and also threats/vulnerabilities/risks via the importer. This is ideal for initializing catalogs (e.g., ISO 27001 or your own policies). Building on this, the Statement of Applicability (SOA) function helps to track applicability and implementation status in a traceable manner.

Q: Does DataGerry support an “NIS2-compliant ISMS”?

DataGerry is not a “compliance magic wand,” but it supports NIS2/ISO27001 work by centrally modeling ISMS building blocks: risks, responsibilities, assets, controls, evidence, reports. Whether this is ultimately “NIS2-compliant” depends on implementation, scope, and governance practices.

Q: How does DataGerry map risk analysis and risk assessment in practice?

Using the ISMS configuration , you can define risk classes, likelihoods, impacts, impact categories, protection goals, and, based on these, the dynamic risk matrix . This allows you to map a risk logic that fits your internal policies or frameworks.

Q: How does DataGerry support governance and responsibilities (NIS2 “Management Body”)?

NIS2 emphasizes that management bodies must approve/monitor measures and that training must be provided. In DataGerry, you can model responsibilities for individuals/person groups (e.g., ISMS managers, risk owners, audit owners).

Q: What does a typical risk workflow in DataGerry look like?

A practical process is: • Record threats + vulnerabilities /import them into Waswo • Define controls/measures (e.g., ISO 27001, internal requirements) • Evaluate risks and attach risk assessments to assets/objects/groups • Maintain treatment & status (implemented/in progress/planned)

Q: What is NIS2 – and why does an ISMS play a central role in it?

NIS2 is the EU directive for a high common level of cybersecurity. The core idea is to manage risks, implement security measures, and report security incidents. An ISMS (e.g., according to ISO 27001) is the practical framework for this because it brings together policies, roles, risk analysis, control measures, and evidence in a structured way.

Q: What specific benefits does SOA offer me in the NIS2 context?

Among other things, NIS2 requires traceable measures and effectiveness testing. SOA is extremely valuable in audits because it shows at a glance which controls apply, why (not), and what the implementation status is.

Q: Which topics from NIS2 are “ISMS-related”?

NIS2 requires, among other things (excerpt): risk policies, incident handling, business continuity, supply chain security, vulnerability handling, effectiveness testing, training, cryptography/encryption, access control & asset management, MFA. It is precisely these topics that can typically be planned, documented, and made auditable using ISMS structures.

DataGerry combines comprehensive asset/service documentation with integrated risk and action processes. This means that risks are not linked “theoretically” but directly to services, systems, and dependencies—including reporting and audit evidence.
An ISMS is only as good as the data on which risk decisions are based.

Request a demo

Start free trial

From zero to compliant

5 Steps to implement an ISMS in DataGerry

1. Create transparency

An ISMS only becomes effective once it is clear “what” needs to be protected and “who” is responsible. DataGerry links ISMS directly to the CMDB database, such as assets, services, owners, and dependencies.

2. Assess risks where they arise

Risks are assessed directly on assets and object groups – not in isolated tables.
• Likelihood & Impact → automatic risk calculation and presentation in a risk matrix
• Roles → clear assignment of assessment (assessor) and responsibility (owner)
• Audit Trail → traceable who changed what and when

3. Put standards into practice

CMDB and risk assessments form the basis for mapping requirements in a structured and auditable manner:
• Asset/service transparency & responsibilities
• Risk & action management
• Identification of critical services & dependencies
• Basis for BIA and emergency/recovery planning

Create transparency

Assess risks where they arise

Put standards into practice

Make critical service chains visible

Integrate into the toolchain

4. Make critical service chains visible

Dependency visualization makes it immediately clear which services are affected when component X fails. This improves prioritization, communication, and action planning.

5. Integrate into the toolchain

Data is enriched and securely transferred via the integrated API platform (OpenCelium) – e.g., to: ITSM/ticketing, SIEM/SOC, vulnerability scanners, IAM/NAC, ISMS/GRC

ISMS and NIS2 compliance made simple

FAQ – DataGerry ISMS & NIS2

Can I import ISO 27001 controls into DataGerry (e.g., for SOA)?

Yes: DataGerry supports the import of controls (CSV) and also threats/vulnerabilities/risks via the importer. This is ideal for initializing catalogs (e.g., ISO 27001 or your own policies).
Building on this, the Statement of Applicability (SOA) function helps to track applicability and implementation status in a traceable manner.

Does DataGerry support an “NIS2-compliant ISMS”?

DataGerry is not a “compliance magic wand,” but it supports NIS2/ISO27001 work by centrally modeling ISMS building blocks: risks, responsibilities, assets, controls, evidence, reports.
Whether this is ultimately “NIS2-compliant” depends on implementation, scope, and governance practices.

How does DataGerry map risk analysis and risk assessment in practice?

Using the ISMS configuration, you can define risk classes, likelihoods, impacts, impact categories, protection goals, and, based on these, the dynamic risk matrix.
This allows you to map a risk logic that fits your internal policies or frameworks.

How does DataGerry support governance and responsibilities (NIS2 “Management Body”)?

NIS2 emphasizes that management bodies must approve/monitor measures and that training must be provided.
In DataGerry, you can model responsibilities for individuals/person groups (e.g., ISMS managers, risk owners, audit owners).

What does a typical risk workflow in DataGerry look like?

A practical process is:
• Record threats + vulnerabilities/import them into Waswo
• Define controls/measures (e.g., ISO 27001, internal requirements)
• Evaluate risks and attach risk assessments to assets/objects/groups
• Maintain treatment & status (implemented/in progress/planned)

What is NIS2 – and why does an ISMS play a central role in it?

NIS2 is the EU directive for a high common level of cybersecurity. The core idea is to manage risks, implement security measures, and report security incidents.
An ISMS (e.g., according to ISO 27001) is the practical framework for this because it brings together policies, roles, risk analysis, control measures, and evidence in a structured way.

What specific benefits does SOA offer me in the NIS2 context?

Among other things, NIS2 requires traceable measures and effectiveness testing.
SOA is extremely valuable in audits because it shows at a glance which controls apply, why (not), and what the implementation status is.

Which topics from NIS2 are “ISMS-related”?

NIS2 requires, among other things (excerpt): risk policies, incident handling, business continuity, supply chain security, vulnerability handling, effectiveness testing, training, cryptography/encryption, access control & asset management, MFA.
It is precisely these topics that can typically be planned, documented, and made auditable using ISMS structures.

For ISMS/NIS2, do I have to create “services” first, or assets?

A good practical start for NIS2/ISMS is:
• Identify critical services/business processes (scope)
• Then document the assets and dependencies (apps, systems, data, suppliers)
• Build the risk and control view on top of that
This follows the NIS2 concept of “minimizing impact on services” + “asset management.”

How do I document policies, evidence, and audit evidence neatly?

You can use File Explorer to store ISMS artifacts centrally: policies, procedures, protocols, audit evidence—with quick filing and retrieval.
This is useful for NIS2 because you can quickly gather evidence in the event of audits.

How do I integrate DataGerry into existing processes (ticketing/SIEM/GRC/automation)?

DataGerry offers REST API documentation and webhooks (CREATE/UPDATE/DELETE) for object-based events – ideal for synchronization, automation pipelines, and audit trails.
This allows you to enrich incident/change processes in ticketing with CMDB/ISMS data (without duplicate maintenance).

How do I protect sensitive ISMS data (need-to-know)?

Access control lists (ACL) allow you to control object access in a finely granular manner—down to CRUD, search, and export.
This is important if, for example, you only want to make incident/risk details visible to a very limited group of people.

How do you map supply chain security (suppliers)?

NIS2 requires supply chain security to be an integral part of risk measures.
In DataGerry, you model suppliers as objects, link them to services/assets, and attach risks/controls/evidence to them—turning “third-party risk” from a gut feeling into a verifiable structure.

How does DataGerry assist with asset management in accordance with NIS2?

NIS2 explicitly mentions asset management and access control policies as minimum requirements.
With DataGerry, you can record assets/CIs in a structured manner and bundle them specifically in the ISMS context using ObjectGroups (e.g., “KRITIS-related systems,” “crown jewels”).

What are the NIS2 reporting deadlines – and how can DataGerry help?

NIS2 provides for a three-stage reporting process:
• Early warning within 24 hours of becoming aware
• Incident notification within 72 hours
• Final report no later than 1 month after the 72-hour notification
DataGerry does not replace a reporting office – but it helps to keep the necessary information structured: affected services/assets, severity/impact, IOCs/root cause (as documentation), measures & status.

Ready to Take Control of Your Data?

Start your 14-Day Free DataGerry Trial today

Get hands-on with DataGerry, the open-source CMDB that brings structure and flexibility to your IT documentation. Explore powerful features, automate your workflows, and gain full visibility across your assets — all with zero commitment.

Start free trial

Learn more

get in touch

Contact the DataGerry Team

Do you have questions or are you facing a particular challenge?
Our dedicated DatGerry team is happy to provide you with a consultation.



Office Address
Hauptstraße 8b, 82008 Unterhaching, Germany



E-Mail
info@datagerry.com



Phone
+49 89 608668 0