Services

What’s included

• Tenant setup or clean-up of existing environments
• Structure for teams, groups, shares & permissions
• Role model (users, power users, admins)
• Backup & restore foundations

Deliverables (verifiable)

• Documented tenant & structure overview
• Permissions & role model
• Naming & usage guidelines
• Handover documentation for internal IT

Typical use cases

• Chaos in teams / shares / folders
• Unclear access & privacy risks
• Growth without clear structure

Prerequisites

• Admin access to the tenant
• A named business owner
• Basic user/team overview

How it works

1. Current-state analysis & risks
2. Target structure & role model
3. Implementation & testing
4. Documentation & handover

What’s included

• Account/subscription structure (prod, test, dev)
• Identity & role model (least privilege)
• Network baseline (VNET/VPC, segmentation)
• Light security baseline & logging

Deliverables (verifiable)

• Documented cloud architecture
• Roles & permissions concept
• Cost conventions & naming standards
• Handover docs + operations recommendations

Typical use cases

• Cloud usage without structure
• Security concerns during growth
• Preparation for migration or new projects

Prerequisites

• Cloud account available (or newly created)
• Decision on target cloud
• Technical point of contact

How it works

1. Scope & target definition
2. Architecture & roles
3. Technical implementation
4. Documentation & handover

What’s included

• Assessment of existing backup solutions
• RPO / RTO definitions per system
• Technical backup design (cloud & on-prem)
• Restore & escalation paths

Deliverables (verifiable)

• Backup & DR concept
• Tested restore scenarios
• Runbooks for incidents
• Handover documentation

Typical use cases

• Backups exist but have never been tested
• Unclear ownership during incidents
• Ransomware or outage risk

Prerequisites

• Access to systems & backup tooling
• Defined critical systems
• IT and business contacts

How it works

1. Current-state review & risks
2. Concept & prioritisation
3. Implementation & restore tests
4. Documentation & handover

What’s included

• Network design (IP, VLANs, routing, Wi-Fi baseline)
• Server/host baseline (on-prem, cloud, or hybrid)
• Baseline services (DNS, DHCP, NTP, file services, auth integration)
• Hardening to best practices (without overengineering)

Deliverables (verifiable)

• Architecture overview (current/target)
• Network & system documentation
• Access & role overview
• Baseline operations setup

Typical use cases

• Rebuild or consolidation of infrastructure
• Growth: more users, sites, or services
• Risky or undocumented legacy setups

Prerequisites

• Access to existing systems/networks
• One internal technical point of contact
• Basic target definition (stability, growth, security)

How it works

1. Inventory & target definition
2. Design & alignment
3. Implementation & testing
4. Documentation & handover

What’s included

• Define meaningful KPIs (measure the right things, not everything)
• System & service monitoring (servers, network, applications)
• Baseline log analysis & error detection
• Alerting (email, chat, escalation path)

Deliverables (verifiable)

• Monitoring dashboards
• Alert rules & escalation logic
• Documented KPIs & thresholds
• Short operations guide

Typical use cases

• “We only notice issues when users complain.”
• Unclear root causes for performance issues or outages
• Growth without visibility into limits

Prerequisites

• Access to target systems
• Defined critical services
• Contact for alert escalation

How it works

1. Service & KPI definition
2. Technical integration
3. Alert testing & tuning
4. Handover & briefing

What’s included

• Technical system documentation (architecture, dependencies)
• Runbooks for operations & incidents
• Access & role overview
• Change & handover protocol

Deliverables (verifiable)

• Up-to-date system & network documentation
• Operations handbook (runbooks)
• Backup/restore overview (if applicable)
• Handover session (remote or on-site)

Typical use cases

• Switching providers
• Building internal IT capability
• Audit, ISO, or compliance preparation

Prerequisites

• Access to relevant systems
• Named internal owner
• Decision: run internally or outsource

How it works

1. Review & structuring
2. Documentation & runbooks
3. Review & additions
4. Handover & Q&A

What’s included

• Review of existing users, roles, and privileged exceptions
• Definition of a clear role model (user / admin / service)
• Introduce or harden MFA & conditional access
• Break-glass / emergency accounts (documented)

Deliverables (verifiable)

• Role & permission matrix
• Conditional Access policies (documented)
• Admin & emergency access model
• Handover documentation

Typical use cases

• Too many admins / unclear permissions
• Audit or ISO preparation
• Growth, new sites, or external partners

Prerequisites

• Access to the identity system (e.g., Microsoft Entra ID)
• Named IT & business owner

Process

1. Current-state assessment & risk review
2. Role & policy design
3. Implementation & testing
4. Documentation & handover

What’s included

• Review of tenant settings & Security Defaults
• Hardening of Exchange, SharePoint, OneDrive, Teams
• Cleanup of admin & app permissions
• Alignment with Microsoft best practices

Deliverables (verifiable)

• Tenant hardening checklist (before/after)
• Documented security configuration
• Recommendations for next maturity steps

Typical use cases

• Fast-grown tenant
• Security incidents or near-misses
• External review announced

Process

1. Tenant assessment
2. Alignment on critical changes
3. Implementation & validation
4. Documentation & handover

What’s included

• Enablement of security-relevant logs
• Central collection (cloud / SIEM-light)
• Definition of meaningful alerts
• Retention & access rules

Deliverables (verifiable)

• Logging architecture & data flows
• Alert list incl. thresholds
• Quick guide: “What to do when an alert fires”

Typical use cases

• Unclear security incidents
• Audit or compliance requirements
• Lack of visibility into admin activity

What’s included

• Review of architecture & attack surface
• Auth/session & API security checks
• Baseline hardening (headers, secrets, access)
• Alignment with OWASP Top 10

Deliverables (verifiable)

• Risk & remediation list
• Prioritised fix recommendations
• Security guidelines for developers

Typical use cases

• In-house web or SaaS applications
• Go-live of new systems
• Security incidents or customer requirements

What’s included

• Requirements capture & technical specification
• Architecture design (frontend, backend, APIs)
• Implementation with clean standards & testing
• Baseline security (auth, roles, secrets, logging)
• Operations concept (hosting, updates, backups—light)

Deliverables (verifiable)

• Working web application (prod/stage)
• Technical documentation & architecture overview
• API documentation (if relevant)
• Runbook for operations & further development

Typical use cases

• Internal business tools (CRM extensions, admin portals)
• Customer & partner portals
• Digital processes that off-the-shelf tools can’t cover

Prerequisites

• Business owner (requirements & priorities)
• Hosting/environment decision (cloud/on-prem)
• Access to existing systems (if integration is required)

Process

1. Kickoff & requirements workshop
2. Specification & architecture sign-off
3. Implementation & testing
4. Go-live, handover & documentation

What’s included

• Process discovery (as-is / to-be)
• Workflow design incl. approvals & escalation
• System integration (M365, ticketing, CRM, APIs, files)
• Logging, error handling & notifications

Deliverables (verifiable)

• Production workflows
• Documented flow (diagram + text)
• Runbook (start/stop, failure scenarios)
• Handover to internal IT or business owners

Typical use cases

• User on-/offboarding
• Ticketing & approval workflows
• File routing, notifications, reporting

Prerequisites

• Process owner (business)
• Access to target systems
• Clear definition of error & exception cases

Process

1. Kickoff & process discovery
2. Workflow design & alignment
3. Implementation & testing
4. Production rollout & handover

What’s included

• Use-case workshop + prioritisation (value vs. effort/risk)
• Tool/model selection (vendor-neutral) + architecture options
• Data/interface check (light) + privacy/security guardrails
• Roadmap (quick wins → scalable operations)

Deliverables (verifiable)

• AI use-case map (incl. prioritisation)
• Architecture sketch + decision points
• Guardrails (data, roles, logging—light)
• Next-steps plan (2–6 weeks)

Typical use cases

• “We want AI—but done sensibly” (management alignment)
• Multiple teams testing tools without governance
• POC needs to transition into stable operations

Prerequisites

• 1–2 owners (business + IT)
• Sample data/processes (optional; anonymisation possible)
• Privacy/compliance contact (for fast decisions)

Process

1. Kickoff (goals, risks, scope)
2. Use-case workshop + prioritisation
3. Architecture/guardrails + tool selection
4. Documentation + decision pack

What’s included

• Connect knowledge sources (SharePoint, Confluence, files, tickets—depending on setup)
• Roles/permissions concept (who can see what)
• Answer logic (prompt templates, source citations, “I don’t know” rules)
• Operations (monitoring light, feedback loop, runbooks)

Deliverables (verifiable)

• Assistant system (web/chat) + documentation
• Source & index concept (RAG light)
• Role model + access control
• Handover: runbook + change log

Typical use cases

• 1st-line support (IT / customer service)
• HR (policies, onboarding)
• Management briefings (summaries, Q&A)

Prerequisites

• Approval of knowledge sources + access
• Definition of “confidential” vs. “internal public”
• Acceptance process (who approves changes)

Process

1. Kickoff + data classification
2. Prototype (1–2 sources) + feedback
3. Hardening (permissions, guardrails, tests)
4. Rollout + handover

What’s included

• Process discovery (as-is/to-be) + automation backlog
• Workflow design (human-in-the-loop, approvals, escalation)
• Integration (email, DMS, CRM/ERP, tickets—depending on systems)
• Quality assurance (tests, evaluation, logging)

Deliverables (verifiable)

• Automated workflows + monitoring
• Runbooks + failure/escalation path
• KPIs (cycle time, error rate)—light
• Handover: documentation + change log

Typical use cases

• Email triage + ticket creation
• Document classification + filing
• Reporting automation

Prerequisites

• Business owner (process ownership)
• Access to target systems/APIs
• Defined acceptance & rollback approach

Process

1. Kickoff + process discovery
2. Workflow design + prototype
3. Integration + tests + monitoring
4. Rollout + handover

What’s included

• Analysis of the current or planned architecture
• Evaluation of multiple solution options
• Risk, cost, and operational impact review
• Vendor-neutral comparison of tools & platforms

Deliverables (verifiable)

• Architecture sketches (as-is / to-be)
• Decision brief with pros & cons
• Risk & dependency overview
• Recommendation incl. next steps

Typical use cases

• Cloud strategy or redesign
• Make-or-buy decisions
• Uncertainty between multiple vendors

Prerequisites

• Technical & business stakeholders
• Transparency on goals & constraints

Process

1. Clarify goals & decision boundaries
2. Assessment & option comparison
3. Documentation & decision support

What’s included

• Definition of roles & responsibilities
• Core policies (access, change, data)
• Structure for documentation & evidence
• Light alignment to GDPR / ISO / internal requirements

Deliverables (verifiable)

• Roles & responsibility model
• Practical policy templates
• Governance structure (folders, docs, logs)
• Recommended improvements & next steps

Typical use cases

• Unclear ownership in IT & cloud
• Before audits or customer requirements
• Growth without clear rules

Prerequisites

• Named IT and business owners
• Willingness to enforce clear rules

Process

1. Current-state review & target operating model
2. Define roles & policies
3. Documentation & handover

What’s included

• Review of your current IT/cloud architecture
• High-level overview of identities, access, and core security basics
• Check of backup, operations, and ownership/responsibilities
• High-level cost and complexity assessment

Deliverables (verifiable)

• Risk & vulnerability overview (clearly prioritised)
• Quick wins (immediately actionable)
• Recommended next steps (30–90 days)
• Short report (management-ready)

Typical use cases

• Grown IT with no clear structure
• After security incidents or audits
• Before migration, growth, or provider changes

Prerequisites

• Short access to IT owners
• Read-only access or screen sharing is sufficient

Process

1. Kick-off & goal definition
2. Review & assessment
3. Summary + recommendations

What’s included

• Standardised OS setup (Windows / macOS)
• Full-disk encryption (BitLocker / FileVault)
• Automatic updates & baseline hardening
• Integration into MDM / identity / policies

Deliverables (verifiable)

• Documented device standard
• Baseline configuration (security / updates)
• Handover documentation for IT
• Change log (what’s standard vs optional)

Typical use cases

• New hires / fast onboarding
• Inconsistent device setups & high support load
• Preparation for MDM or security audits

Prerequisites

• Device access (physical or remote)
• Identity system (e.g. Entra ID, Google, LDAP)
• Definition of standard vs exception cases

Process

1. Current-state review & standard definition
2. Technical setup & testing
3. Rollout / handover
4. Documentation & acceptance

What’s included

• Onboarding process (user, device, access)
• Offboarding incl. data wipe & account blocking
• Device replacement / defect / spare process
• Roles & responsibilities

Deliverables (verifiable)

• Lifecycle documentation
• Checklists (onboarding / offboarding)
• RACI / responsibilities
• Audit-ready evidence

Typical use cases

• Growing team without clear routines
• Security risk during staff changes
• Unclear ownership between IT & HR

Prerequisites

• Alignment with IT & HR
• Definition of minimum vs exception cases
• Access to identity & MDM

Process

1. Current-state review & risk assessment
2. Process design & approval
3. Documentation & training
4. Handover

What’s included

• Security baseline (OS, user privileges, services)
• Firewall and Defender/AV configuration
• Light application control
• Logging & baseline monitoring

Deliverables (verifiable)

• Hardened baseline
• Policy documentation
• Deviations & explicit exceptions
• Restore / rollback guidance

Typical use cases

• Reduce ransomware risk
• Prepare for audits / cyber insurance
• Unclear local admin rights

Prerequisites

• MDM or central management
• Approval for security policies
• Test group (pilot devices)

Process

1. Current-state review & risk assessment
2. Baseline & policies
3. Pilot & refinement
4. Rollout & documentation

What’s included

• Define roles & responsibilities (IT, business, management)
• Decision and escalation paths (who decides what—and when)
• Rules for changes, access, documentation, and operations
• Clear boundary between internal IT and external providers

Deliverables (verifiable)

• Governance overview (1–2 pages, plain language)
• Roles & responsibilities matrix (RACI light)
• Change & decision logic
• Documentation structure (where things live, who maintains them)

Typical use cases

• Growing IT without clear ownership
• Dependency on single providers
• Unclear decisions during incidents or changes

Prerequisites

• Named IT owner
• Baseline overview of current systems & partners
• Management backing for clear rules

Process

1. Current-state review (structure, roles, pain points)
2. Define target state & governance rules
3. Stakeholder alignment
4. Documentation & handover

What’s included

• Identify relevant requirements (e.g. GDPR, ISO “light”, customer requirements)
• Create pragmatic policies (access, backup, logging, changes)
• Evidence structure: what must be documented—and where
• Align “policy” with actual day-to-day practice

Deliverables (verifiable)

• IT policies (clear & actionable)
• Evidence & documentation map
• Audit checklist (what’s asked, where it lives)
• Gap list with concrete actions

Typical use cases

• Customers or partners require compliance evidence
• Preparation for ISO / internal audit / due diligence
• “We do many things right—but can’t prove it”

Prerequisites

• Access to existing IT documentation
• Contacts in IT & data protection
• Willingness to name gaps realistically

Process

1. Define scope & requirements
2. Review systems & documentation
3. Create policies & evidence
4. Handover + recommendations

What’s included

• Define core policies (access, passwords, devices, data)
• Technical standards (naming, roles, baseline setups)
• Align with actual IT operations
• Rules for exceptions (explicit & documented)

Deliverables (verifiable)

• IT policy set (short & clear)
• Standards & templates library
• Maintenance & update approach
• Overview: what’s mandatory vs recommended

Typical use cases

• Inconsistent setups across teams or providers
• Arguments for every new system
• Security rules interpreted differently

Prerequisites

• Overview of existing standards (if any)
• Involve IT + business stakeholders
• Commitment to clear, simple rules

Process

1. Review current state
2. Define core standards
3. Align & simplify
4. Document & roll out

What’s included

• Analysis of current cloud spend (compute, storage, network, licences)
• Identify quick wins (oversizing, idle resources, wrong pricing tiers)
• Structure costs by cost centres, projects, or teams
• Introduce FinOps basics (budgets, alerts, ownership)

Deliverables (verifiable)

• Cost analysis with savings potential
• Action list incl. prioritisation (quick wins / structural)
• FinOps guidelines (light)
• Clear cost dashboards or reports

Typical use cases

• Cloud spend rises faster than expected
• Costs cannot be assigned to teams/projects clearly
• No budgets or alerting
• “Nobody owns the bill”

Prerequisites

• Access to cloud billing (read-only is enough)
• Baseline understanding of the current architecture
• One contact person for IT + (if needed) finance

Process

1. Cost and usage analysis
2. Quick-win implementation or recommendations
3. Structural FinOps measures
4. Handover of documentation & governance model

What’s included

• Review existing licence models (M365, Google, cloud, specialist software)
• Compare usage vs paid licences
• Assess contract terms and upgrade traps
• Define a clean licence standard per role

Deliverables (verifiable)

• Licence inventory (current state)
• Optimisation proposals incl. savings potential
• Licence policy (who needs what—and why)
• Recommendations for renewal / migration

Typical use cases

• Too many or wrong M365/cloud licences
• Unclear rules during onboarding/offboarding
• Fear of compliance violations or audits
• Contracts grow historically—without control

Prerequisites

• Access to admin & licensing portals (read-only)
• Overview of user / role structure
• Point of contact in Procurement / Finance (optional)

Process

1. License & usage analysis
2. Identify over- / under-licensing
3. Define target model
4. Handover + actionable recommendations

What’s included

• Analysis of critical business processes and IT dependencies
• Business Impact Analysis (downtime, data loss, risk exposure)
• Definition of RTO/RPO and recovery priorities
• Action catalogue for IT, organisation, and communications

Deliverables (verifiable)

• End-to-end BCM concept (clearly structured & readable)
• Business Impact Analysis (BIA)
• Roles & responsibility matrix
• Actions & priority list

Typical use cases

• Growing company without formal contingency planning
• Dependency on cloud, IT, or SaaS providers
• Preparation for audits, customer requirements, or certifications

Prerequisites

• Named process and IT owners
• Basic overview of systems & processes
• Management commitment for priorities & decisions

Process

1. Kickoff & scope definition
2. Business Impact Analysis (workshops)
3. BCM concept & action planning
4. Documentation & handover

What’s included

• Preparation of realistic incident scenarios (IT, cyber, organisational)
• Facilitated tabletop session with relevant stakeholders
• Decision-making & communication simulation
• Debrief with concrete improvement actions

Deliverables (verifiable)

• Documented exercise results
• Identified gaps & risks
• Concrete action & improvement plan
• Update of existing incident / BCM plans (optional)

Typical use cases

• BCM exists but has never been realistically tested
• New leaders or new roles in the crisis team
• Preparation for audits or customer requirements

Prerequisites

• Named participants (IT, leadership, communications)
• Basic incident or BCM documents (if available)
• Willingness for honest assessment & improvement

Process

1. Preparation & scenario design
2. Run the tabletop exercise
3. Review & lessons learned
4. Action plan & handover

What’s included

• Analysis of existing data sources (ERP, CRM, spreadsheets, tools)
• Definition of a clear data structure (single source of truth)
• KPI workshop: what you actually need—and what you don’t
• Roles & responsibilities (owner, maintenance, approval)

Deliverables (verifiable)

• Data map (sources, flows, dependencies)
• KPI catalogue incl. definitions & calculation logic
• Target architecture (logical, tool-agnostic)
• Recommended next steps (quick wins & roadmap)

Typical use cases

• Different numbers depending on the department
• Decisions based on “feel” rather than data
• Many reports—no one knows which one is correct

Prerequisites

• Access to existing reports & data sources
• 1–2 business decision-makers (management / controlling)
• Basic understanding of current processes

Process

1. Kickoff & goal definition
2. Data analysis & KPI workshop
3. Structure & architecture design
4. Documentation & handover

What’s included

• Translating KPIs into understandable visualisations
• Dashboard design (executive vs. operational)
• Data connectivity (existing systems & exports)
• Filters, drilldowns & time comparisons

Deliverables (verifiable)

• Production-ready dashboards (tool depends on setup)
• Documented KPI calculations
• Data source & refresh logic
• Handover & quick-start guide

Typical use cases

• Monthly reporting takes days instead of minutes
• Leadership constantly requests ad-hoc analyses
• No single, consistent view of performance

Prerequisites

• Defined KPIs (or a data strategy in place)
• Access to relevant data sources
• Alignment with leadership / business owners

Process

1. Align target audience & KPIs
2. Prototype + feedback
3. Finalisation & polish
4. Handover & documentation