Skip to content
Cybsis

Product

An ISMS that works
the way your team actually does.

A team using Cybsis 2.0 keeps its asset register, risk register, control implementations, document library, incident log, audit campaigns, vendor register, GDPR records, and service-desk inbox in one place — against any combination of compliance frameworks they need to satisfy.

Core ISMS

Six registers, one operating model.

Every Cybsis 2.0 installation ships with the Core ISMS surface — the six registers an information-security team works in daily. Modules add the operational surfaces your particular org needs on top.

Asset & business-process register

Hierarchical assets with sub-assets, CIA classification per item, owners, dependencies, and process-to-asset links. Bulk XLSX import; AI-assisted classification when AI Assistant is enabled.

Risk register

Configurable risk matrices, threat catalogues per active standard, likelihood and impact scoring, treatment plans, and asset-derived risk suggestions. Risks recalculate when the underlying asset's classification changes.

Control implementation

Apply controls from any of your active standards, attach evidence per implementation, track responsible owner, cost, and review schedule. A single control implementation can satisfy multiple framework requirements at once.

Document library

Five-stage lifecycle from draft to archive, template-driven generation, electronic signatures, version history, and automatic linking from controls to the documents that describe them.

Incident log

Capture, classify by severity, contain, recover, root-cause. Incidents link back to the controls that were supposed to prevent them, so post-incident reviews land somewhere structural.

Reporting & dashboard

Executive overview with per-standard compliance scorecards, exportable XLSX/CSV reports, and ROSI (return on security investment) calculations — the live state of the ISMS, not a static snapshot.

Plus: passkey authentication (WebAuthn) with hardware-key support, Estonian eID via Web eID and TARA SSO, custom fields per entity type, fine-grained RBAC (65 permissions across 9 domains), an executive dashboard, XLSX/CSV reporting, in-app and email notifications, full activity-log auditing, and one standard pack of your choice — all included in the Core ISMS, before any module is added.

The link is the value

One graph,
not nine silos.

Add an asset. Cybsis suggests risks for it from your active threat catalogues. Pick the controls that mitigate those risks; the system links them to the asset, to the standard requirement they satisfy, and to the policy document that describes them. Upload evidence for a control implementation — the audit campaign sees it. Change the asset's CIA classification — the linked risks recalculate and their treatments are flagged for review.

That's the difference between an ISMS as a record-keeping tool and an ISMS as an operating posture. Everything that depends on the thing you just changed surfaces as work to do, not as silent drift.

How it extends

Three axes of growth.

The Core ISMS scales in three directions independently: across frameworks, across operational surfaces, and across staff capacity through AI.

28

Frameworks in the catalogue

ISO 27001, GDPR, NIS2, DORA, NIST CSF, SOC 2, HIPAA, EU AI Act, TISAX, E-ITS, Cybsis Baseline, BSI GS++, and the rest. Any framework — in the catalogue or not — is mapped into your instance on request, typically in about two weeks. No upper limit on concurrent standards in one installation.

Browse the catalogue →

25

Add-on modules across five categories

Audit campaigns, Multi-Instance for legal-entity isolation, Federation for cross-instance reporting, GDPR Article 30 records, vendor registry, modern authentication, AD/LDAP, Jira and email-triage integrations, automation rules, and the AI modules.

See every module →

4

AI features, all opt-in

AI Assistant for in-workflow sparkle buttons. AI Documents for long-form policy drafting. Ludwig as a standalone chat advisor. Ludwig DPO as an assistant to your data protection officer. Off by default; bring-your-own-provider (public, self-hosted, or RaulWalter-supplied).

Audit readiness in two months, not six →

A day in the life

What it actually feels like.

  1. 01

    The auditor asks a question

    Your external auditor opens the lookup: "show me how A.5.1.1 is satisfied." One click reveals the linked policy document — version 3.4, approved last quarter — plus the three control implementations it backs, the seven assets they apply to, and the last review date for each. The auditor moves on. No email threads, no shared drives, no "let me get back to you next week."

  2. 02

    An asset is added mid-quarter

    DevOps spins up a new analytics database. The infrastructure lead registers it: name, CIA rating, owner. Cybsis suggests four likely risks from your active threat catalogues; the risk owner accepts three, rejects one, edits one description. The system proposes the controls that mitigate each accepted risk; control owners are notified, evidence requirements appear in their workflows. The dashboard reflects the new posture before the next leadership review.

  3. 03

    Quarterly board pack

    At quarter-end, the dashboard exports an XLSX scorecard for the board: every active standard with its compliance percentage, every outstanding finding, every overdue review, every new incident classified by severity. The CISO opens the previous quarter's pack alongside it — the per-cell deltas are calculated for them. The board meeting is forty minutes of conversation about three findings, not three hours of "where are we on this?"

Where it runs

Pick the trust boundary that fits.

RW Hosting

AWS eu-north-1 · €300/yr flat

Managed by RaulWalter. Same-day updates, active support backed by usage telemetry, zero runtime ops on your side.

Your cloud

AWS · GCP · Azure · no extra charge

Pull the Docker image into your own tenancy. You operate the runtime, you decide when to update. The encryption master key never leaves your environment.

On-premise

Defence · intel · healthcare · no extra charge

Customer-installed, customer-operated. Air-gapped mode supported via the air-gapped licence path. Zero outbound calls if AI uses a self-hosted endpoint.

All three modes ship AI off by default. When you enable it, you choose the provider — bring your own key, point at a self-hosted LLM, or let RaulWalter supply it. Full detail on the security & privacy page.

See it, configure it, or talk to us.

The tour walks you through nine product screens with commentary. The configurator lets you assemble a bundle and price it before talking to anyone. The quote form reaches us by email.