Skip to content

discovered, explained

DIN SPEC 27076

The CyberRisikoCheck (CRC) shows you how secure your company's IT is.

In view of the increasing threats posed by cybercrime, protecting IT and information security is essential for small and medium-sized enterprises (SMEs) and local authorities. The CyberRisikoCheck (CRC) in accordance with DIN SPEC 27076 offers an efficient way of assessing the current security status.

Laptop mit Logo vom CyberRisikoCheck

What is the CyberRisikoCheck?

The CyberRisikoCheck (CRC) is a method for assessing information security, especially for SMEs and local authorities. It analyses the current situation and provides an overview of potential threats and the current security status. This testing and assessment tool was developed under the direction of the German Federal Office for Information Security (BSI) and Der Mittelstand. BVMW e.V.

The CRC serves as a first step towards improving information security, whereby the implementation of the recommendations is the responsibility of the company. TÜVIT provides support if required.

To the BSI website on the CRC
Protection of information security

This is where CyberRisikoCheck comes in

Topics covered in the survey of the current situation

  • Organisation and awareness
  • Patch and change management
  • Identity and authorisation management
  • Protection against malware
  • Data backup
  • IT system and networks

Your advantages at a glance

  • Early detection of security risks
    The CyberRisikoCheck (CRC) helps you to identify potential vulnerabilities in your IT infrastructure at an early stage, before they can be exploited by cyber criminals.
  • Cost efficiency
    You get a cost-effective way to assess your information security without having to implement expensive and comprehensive security solutions immediately.
  • Cross-industry application
    The CyberRisikoCheck (CRC) is suitable for various industries and can be flexibly adapted to the specific needs and requirements of your company.
  • Recommendations for action
    You receive concrete and actionable recommendations for improving your security measures based on the individual results of the CyberRisikoCheck (CRC).
  • Funding opportunities
    Benefit from government funding programmes that provide financial support for the implementation of security measures and make your investment in IT security even more attractive.
  • Trust and reputation
    Your proven commitment to IT security can strengthen the trust of your customers and business partners and improve your company's reputation.
  • Compliance and legal requirements
    The CyberRisikoCheck (CRC) helps you to better fulfil legal requirements and compliance specifications in the area of information security.
  • Strategic planning
    Use the results of the CyberRisikoCheck (CRC) as a basis for the strategic planning and prioritisation of your security measures.
  • Support from experts
    With our IT compliance specialists and IT security experts, you have the best possible support to guide your company both during and after the CyberRisikoCheck (CRC).

Overview of funding opportunities

Benefit from various funding programmes that provide financial support for carrying out a CyberRisikoCheck (CRC). Download an up-to-date overview of all relevant funding opportunities here.
The list has been carefully compiled and is current as of November 2025. It provides a quick overview of available programmes at federal and state level, including the subject of the funding. Scope of funding and conditions.

DOWNLOAD
Overview of CRC funding opportunities
PDF
1 MB

The CyberRisikoCheck process comprises four phases

1

Initial consultation

We conduct the initial consultation with you and inform you about the CyberRisikoCheck (CRC) process. We also provide information on the required documents and the group of participants. Initial company data is also collected and the next steps are agreed.

2

Recording the current status

Based on the catalogue of requirements (DIN SPEC 27076), the current status of information security in your company is assessed in a survey interview (max. 3 hours) and the most important security risks are made visible.

3

Evaluation and results report

The survey data is analysed by TÜVIT and the company's hazard risk is quantified. The results are documented in a report. Recommendations for action are also included in the results report.

4

Presentation of the results

The results of the CyberRisikoCheck (CRC) will be presented and explained to you. We will provide you with recommendations for action and an overview of funding opportunities to improve information security in your company.

Potential vulnerabilities identified with CRC – what next?

Übergabe eines Staffelstabs

Re-CyberRisikoCheck

Re-performance of the CyberRisikoCheck (CRC) for a reliable before-and-after comparison.
Gesprächssituation

Identification of further steps

Advice on implementing the measures identified as part of the CyberRisikoCheck (CRC).
Ordner mit Ledereinband und Schloss

Data protection & website check

Checking the data protection compliance of your website.
Gebirgsschlucht

Gap analysis

Evaluation of the implementation of legal data protection requirements in your company and derivation of measures for action.
Schlüssel unter einer Füßmatte

Network penetration tests

Verification of the security of publicly accessible systems by means of a network penetration test.
Knacken eines Türschlosses

Web application penetration test

Checking the security of a web application by means of a penetration test.
Offenes Buch

Review of the firewall rules

Checking a set of rules for a selected firewall (e.g. Internet firewall).
Fischernetz

Simulation of a phishing attack

Simulation of a phishing attack by e-mail

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin
To the consulting services Contact us
Goal achieved?

We check that

TÜV Informationstechnik I Essen
To the test offers Contact us

Frequently asked Questions (FAQ)

What you need to know about the CyberRisikoCheck

The CyberRisikoCheck (CRC) is aimed at small and medium-sized enterprises (SMEs) and local authorities with up to 50 employees who would like to receive an initial assessment of the status of their information security.

The CyberRisikoCheck (CRC) only offers an analysis of the current information security situation in your company. The implementation of the recommendations for action and the elimination of vulnerabilities is not part of the CyberRisikoCheck (CRC) and is the responsibility of the company. TÜVIT will be happy to support you in this if required.

Important: Even a company that fulfils all IT security requirements according to DIN SPEC 27076 to 100% and receives the full score has not demonstrated a very good level of protection, but only the absolute minimum of information security that is justifiable for a small or very small company!

The CyberRisikoCheck (CRC) does not offer complete protection against cyber attacks.

The CyberRisikoCheck (CRC) is carried out by IT compliance specialists and IT security experts from TÜVIT. These specialists have extensive experience in assessing and securing complex IT environments. Their expertise includes, among other things

  • IT compliance: checking compliance with legal and industry-specific requirements
  • Cybersecurity: Identification and assessment of security risks in networks and systems
  • Penetration tests: uncovering potential vulnerabilities through targeted attack simulations
  • Risk management: development of measures to minimise IT and compliance risks

The combination of technical expertise and regulatory understanding enables us to provide your company with a well-founded assessment of your IT security level.

Haven't found what you're looking for yet?

Conversation situation between three people in the office
NIS-2 Directive
Smartphone in Benutzung
News & Press
An employee shows a colleague something in the code on the screen
Advice from TÜV NORD SeCom