Wittmann Projektmanagement GmbH
NIS2
Management needs reliable implementation evidence.
NIS2 is no longer hypothetical. Affected organisations need technical and organisational measures that are implemented, operated and documented — not just intentions.
Audit-ready Managed IT
Audit-ready IT for
Audit-ready IT for
ISO 27001, TISAX and NIS2.
we-IT standardises the technical baseline, operates it continuously and delivers reliable evidence — so audits, assessments and customer requirements do not fail at the technical layer.
- Fixed price per user/month
- Baseline + operations + evidence
- Cloud, hybrid, BYOD
Designed for organisations with a real trigger — such as ISO 27001, TISAX, NIS2 or security requirements coming from enterprise deals and supply chains.
Trusted in regulated environments
When this becomes relevant
Three triggers,
one technical answer.
Whether the pressure comes from regulation, procurement or the supply chain, the path to reliable, auditable IT is the same. We translate the concrete trigger into a standardised baseline that holds up in audits.
ISO 27001
Enterprise customers expect technical maturity, not just policies.
ISO 27001 becomes critical as soon as sales, procurement or auditors want to inspect the technical layer. That is exactly where we operate.
TISAX
The supply chain requires TISAX — internal capacity is too limited for a clean baseline rollout.
When a customer asks for TISAX, the technical baseline has to become audit-ready quickly. we-IT implements it; the assessment stays with the relevant audit provider.
The technical baseline
A baseline
that holds up in operations.
We do not deliver slide decks. We deliver a standardised technical operating model. That makes audit readiness predictable both in implementation and in day-to-day operations.
01
Identity & Access
MFA, conditional access, admin separation and traceable access control.
02
Device Management & Compliance
Managed BYOD and company-owned devices with access limited to compliant endpoints.
03
Patch & Vulnerability
Measurable patch compliance with a documented exception process.
04
Backup & Restore
Recoverability is tested and evidenced, not assumed.
05
EDR & Incident Readiness
Broad protection with clear reaction and escalation paths.
06
Logging & Monitoring
Verifiable event data, evaluated and exportable.
Fit
What the model fits —
and what it does not.
Our model only works if scope and expectations are aligned. So here are two honest lists.
Typically a fit
When there is a real trigger and clear ownership
- You have a concrete trigger: ISO 27001, TISAX, NIS2 or security requirements from tenders and customers.
- There is an internal IT owner and management sponsor, but not enough bandwidth for proper technical standardisation.
- You want a clear standard instead of permanent one-off exceptions.
- Cloud or hybrid is fine — Windows, macOS, iOS, Android and managed BYOD.
Usually not a fit
So nobody loses time
- You are looking for a certification guarantee or paper compliance only.
- You need legal advice, ISMS consulting or a certification body.
- Local admin rights, unmanaged BYOD or shadow IT are expected to remain the default.
- There is no real trigger and no decision maker on the customer side.
How it works
From readiness check
to evidence routine.
A repeatable delivery model that stays predictable for scope, operations and later audits.
Readiness check
Short first conversation with an honest go/no-go view.
Scope & fixed price
Clear guardrails, non-negotiables and price per user/month.
Baseline rollout
Technical implementation of the controls into a clean target state.
Managed operations
Operations, remediation, changes and exceptions within a standard model.
Evidence
Reports, exports and screenshots for auditors, consultants and customers.
Clear boundaries
What is included —
and what intentionally is not.
we-IT is the technical implementation and operations partner. That clear role definition is what makes collaboration with auditors and consultants easier.
Included
The audit-relevant baseline is implemented, operated and documented.
- Identity, device, patch, backup, EDR and logging as standardised controls
- Onboarding, offboarding, changes, incident handling and exception management
- Monthly evidence packages including reports, exports and screenshots
- Quarterly restore tests and recurring baseline reviews
Intentionally not included
We do not replace the auditor or the certification consultant.
- No audit and no direct execution of assessments or certifications
- No legal advice, especially not on NIS2 applicability
- No ISMS consulting, policy governance or certification guarantee
- Those roles stay with the auditor, consultant or your internal organisation
References
Built for
real audit pressure.
Two customers whose names we may mention here — different triggers, same requirement: a technical baseline that stands up in audits.
TeleClinic GmbH
ISO 27001 certified environment with BYOD and company-owned devices, operating across the EU and internationally.
We wanted to truly standardise our technical controls properly — under real audit pressure. we-IT took full ownership: from the baseline through implementation to ongoing operations. Result: a successfully certified setup.
Matthias Hoyer — Chief Technology Officer, TeleClinic GmbH
Wittmann Projektmanagement GmbH
Project with a clear supply-chain trigger and the goal of making the technical baseline audit-ready quickly and reliably.
TISAX was not a voluntary project for us. It was a clear requirement from the supply chain. we-IT integrated the technical baseline so cleanly that there were practically no open questions left in the audit.
Christoph Grill — Managing Director, Wittmann Projektmanagement GmbH
ISO27001
we-IT is ISO 27001 certified itself.
Our own Trust Center shows the standard we apply internally. That is the basis on which we deliver baseline and evidence consistently across customers.
Frequently asked questions
Answers before you ask.
The questions that come up in almost every first conversation.
Is this an audit or certification consultancy?
No. we-IT handles technical implementation, operations and evidence. Audit, assessment, certification and legal interpretation remain with the respective roles.
Do you guarantee certification?
No. There is no serious certification guarantee. We make sure the technical baseline is implemented properly, operated continuously and supported by evidence.
Does this still fit if we already have an MSP or consultant?
Yes, as long as the audit-relevant baseline clearly sits with we-IT. Existing consultants or auditors stay in place; we provide the technical evidence.
How is the fixed price calculated?
The fixed price is defined after the readiness check. It depends on user count, device scope, existing baseline gaps, required support level and the evidence routine. The goal is a stable price per user/month instead of unpredictable day rates.
How fast can this move?
Four to eight weeks is a realistic baseline rollout window. After that, the ongoing evidence routine starts immediately.
What happens with legacy systems or special cases?
Either we move them into the standard or we document them properly as time-bound exceptions with compensating measures.
Contact
Prefer to write first?
Send us a short note about your situation. We will reply with an initial assessment or suggest the right next step directly.
Next step
One conversation, one honest assessment.
Go or no-go.
The readiness check is free of charge and takes around 45 minutes. Afterwards you will know whether the model fits your situation.