Recurity Labs Achieves ISO/IEC 27001 Certification – and Shares Lessons Learned

We’re proud to announce that Recurity Labs has successfully implemented a modern, purpose-built Information Security Management System (ISMS). On March 17th, 2025, this system was officially certified according to ISO/IEC 27001:2022—affirming our long-standing commitment to robust and verifiable information security management.

The certificate can be reviewed here.

Over the past years, client expectations around information security have grown significantly. With increased regulatory oversight and vendor assessments becoming the norm, obtaining ISO/IEC 27001 certification was a strategic step to formalize the practices we’ve long upheld—and to meet evolving requirements for trust and assurance.

The Information Security Policy (Leitlinie) can be accessed here.

Built by Practitioners, for Practitioners

Our ISMS wasn’t built from generic templates or wrapped in unnecessary bureaucracy. Instead, we created a system that truly fits our daily operations as an IT security consulting company.

Leveraging Git and GitLab at its core, our ISMS is:

• Version-controlled
• Collaboratively reviewed
• Fully traceable and maintainable
• Seamlessly integrated into our existing workflows

Most documentation lives in Markdown, while active processes are tracked using GitLab issues with built-in functionalities like assignees, labels, and due dates. This approach enables us to treat our internal security practices with the same care and precision we apply to client work—without sacrificing usability or efficiency.

People Behind the Process

John Lißke (PGP) played a central role in the design and implementation of our ISMS. He continues to shape its structure and drive its ongoing improvement.

As CEO, Nico Lindner (PGP) provided unwavering support, ensuring the necessary resources were available and actively participating in key organizational processes.

Supporting the technical foundation, Lucas Humfeldt (PGP) contributed critical insights and hands-on expertise. He helped translating security requirements into practical technical controls across our infrastructure.

Continuously updated security contacts can be found in the security.txt.

We encourage using the security.txt for coordinated disclosure and general security communication. However, feel free to reach out directly to the members of our ISMS Team—CEO (Nico), CISO (John), or DPO (Lucas) for any questions or requests regarding information security or data protection.

Academic and Practical Validation

Our ISMS implementation was also the subject of a recently completed bachelor’s thesis:

“Framework and Reference Implementation: An ISMS According to ISO/IEC 27001:2022 for SMEs in IT Security Consulting”

The thesis outlines a practical, resource-conscious approach to building an ISMS tailored for small, technically driven consulting firms. By leveraging Git and GitLab, the solution offers version-controlled documentation, transparent change tracking, and lightweight workflows for managing dynamic processes like risk assessments and internal audits.

Structured around the PDCA cycle, the system maps ISO 27001 requirements directly into Markdown-based documentation and GitLab issue tracking—making it both maintainable and audit-ready. Internal and external audits confirmed its effectiveness and alignment with ISO standards.

📄 Thesis (PDF)

Thanks and Acknowledgments

We extend a heartfelt thanks to Felix Hackenberg and Michèle-Pierre Bluhm from HiSolutions. Their expertise, guidance, and support were invaluable in helping us turn theory into practical implementation.

What’s Next?

To us, information security is more than compliance—it’s a cultural and operational foundation. Our ISMS is a living system, and we’ll continue to iterate, improve, and refine it as we grow and adapt.