Seven structured steps, ten required content blocks, one free structural template. Plus a €1,500 consultation with a Sekuris security consultant for your site.
Über 200 Unternehmen vertrauen auf Sekuris — eine Auswahl unserer Auftraggeber:
Definition
A security concept is the written compilation of all structural, technical, organisational and personnel measures by which a company reduces identified security risks to an acceptable residual level. It is the basis for insurance, regulatory and audit evidence — and depending on the sector legally required.
Reference frameworks per sector are DIN VDE V 0827, the state assembly-venue regulations (VStättVO), BSI baseline protection, ISO 27001/27002 and the BSI Critical Infrastructure ordinance. For sector-specific requirements (pharma GxP, automotive TISAX, food BRC) we integrate the relevant standards. A well-built security concept has a typical lifespan of 3 to 5 years — with annual review.
7 steps
Seven steps that an audit-ready security concept demands — whether you build it internally or with consultants. Each step delivers a traceable artefact that must be presented in audit cases.
What exactly must be protected — people, assets, data, business processes, reputation? Which sites, which times, which occasions (regular operations, high-risk phases, events)? Without clear protection goals every subsequent measure becomes arbitrary. We recommend formulating protection goals in management language, not security jargon.
Which threats are realistic? Theft, sabotage, fire, natural events, cyber-attack, insider incident, targeted assault? Per threat: probability (1–5) × impact (1–5) = risk score. Industry-established models include BSI baseline protection and ISO 27005. Sekuris delivers the risk analysis as a 5–15 working day mandate.
What's already in place? Structural protection (fences, doors, locks, fire compartments), technical systems (alarm, video, access control, fire detection), organisational rules (house rules, key management, visitor workflow), personnel resources (gatekeepers, guarding, training). The gap between current state and threat defines the action catalogue.
Per identified risk: concrete measure(s) with effort, cost and residual risk after implementation. Prioritisation by risk score × feasibility — quick wins (low effort, high impact) first. We separate measures into structural, technical, organisational, personnel — the four-pillar model from DIN VDE V 0827.
What happens in an emergency? Fire, break-in, bomb threat, IT incident, crisis communication. Per scenario: escalation matrix, responsible roles, communication path, immediate measures, interfaces to authorities (police, fire, BSI). Tabletop exercises with management help find gaps before the actual event.
Security concept as a written document with version status, management sign-off, regular review cycle (annual minimum, more frequent on change). Staff training on house rules, emergency plans, data-protection interface. Audit plan: internal audits semi-annually, external audits for TISAX, KRITIS, ISO 27001 every 1–3 years.
A security concept is not a project but a lifecycle. Define KPI set (incidents per quarter, response times, training rate), reporting to management, lessons learned from every incident fed back into the concept. Sekuris takes over this lifecycle management as a recurring mandate on request — or accompanies internal implementation in a consulting role.
Table of contents
Ten required and recommended sections for an audit-ready concept. Skipping sections risks insurer or auditor objections — and for VStättVO-required events, even permit denial.
| Section | Status | Content examples |
|---|---|---|
| Protection goals & scope | Required | Asset definition, site delineation, temporal scope |
| Risk analysis | Required | Threat matrix, scoring, prioritised risk list |
| Structural measures | Required | Building envelope, doors/gates, fire compartments, screening |
| Technical systems | Required | EMA, BMA, video, access, monitoring, maintenance cycles |
| Organisation & house rules | Required | House rules, keys, visitor workflow, shift planning |
| Personnel measures | Required | Gatekeepers, guarding, qualifications, §34a, training |
| Emergency and crisis plans | Required (VStättVO/KRITIS) | Fire, evacuation, bomb threat, crisis team, press strategy |
| Data-protection interface | Required | Video GDPR, processing register |
| Training and audit plan | Recommended | Annual training, semi-annual internal audit |
| KPI and reporting set | Recommended | Incidents, response time, training rate, management report |
Template & consulting
We provide a structural template (table of contents + checklist per step) free of charge as part of the free security consultation. It's useful for internal security officers building a first concept.
A template does not replace site-specific analysis — threats, structural particularities and business processes are unique per location. For audit-ready concepts (KRITIS, ISO 27001, TISAX, VStättVO from 5,000 visitors) we recommend consultant work. Sekuris delivers the complete concept in 4–12 weeks under a clear fixed-price mandate.
Answers to the most common questions from B2B security-consulting mandates.
In a 30-minute consultation with a Sekuris security consultant we clarify which concept depth you need — template for self-creation, risk analysis, complete concept or audit accompaniment.
