Building Block 1
CADIS Management System
Structural and process organisation as the foundation for all CADIS modules – developed by CONSUVATION and governs the modules deployed within your organisation.
Basis for All ModulesCONSUVATION GmbH is an official DEKRA consulting partner for CADIS and guides suppliers to the defence and armaments industry through every phase of assessment preparation – from gap analysis to a successfully passed DEKRA audit. With over 25 years of consulting experience and 100% senior consultants. Across the DACH region and internationally.
Quick Check
Find out in 30 seconds where your company stands in its CADIS preparation – free and without registration.
At a Glance
CADIS (Cybersecurity Assessment for Defence Industry Suppliers) is the first European assessment procedure for cyber and information security developed specifically for suppliers to the defence and armaments industry. It was developed by DEKRA and is also audited by DEKRA – CADIS is a registered trademark of DEKRA.
The procedure comprises 14 modules, selected on a risk basis via the contracting party's Supplier Criticality Evaluation (SCE). The depth of examination follows the Level of Examination (LoE 1–3) – from a plausibility check to a full on-site audit.
With growing requirements from NIS2, the German IT Security Act (BSIG) and EU procurement practice, a structured demonstration of cyber resilience along the supply chain is increasingly becoming a market access prerequisite.
As a certification body, DEKRA itself may not offer consulting services. CONSUVATION closes this gap: with deep knowledge of the CADIS procedure, a direct line to the assessment body, and over 25 years of experience in information security, OT security, BCM, risk management and compliance.
CADIS – Structure of the Assessment Procedure
CADIS is not a certification procedure in the classic ISO sense, but a modular assessment procedure by DEKRA: management system, risk-based module selection and a documented process model come together.
Building Block 1
Structural and process organisation as the foundation for all CADIS modules – developed by CONSUVATION and governs the modules deployed within your organisation.
Basis for All ModulesBuilding Block 2
CADIS covers 14 topic areas from IT to OT security. The contracting party determines the relevant modules on a risk basis via the Supplier Criticality Evaluation (SCE).
14 Modules, Risk-BasedBuilding Block 3
The depth of examination per module ranges from a plausibility check (LoE 1) to a full on-site audit (LoE 3) – matched to the criticality and risk profile of the supplier.
Tiered Examination DepthBuilding Block 4
CADIS assesses both classic IT with a focus on data management and operational technology (OT) – production facilities, machinery and building technology (IACS per IEC 62443).
IT + OT CoveredBuilding Block 5
Documented end-to-end processes for identification, preparation, implementation and evidencing of CADIS requirements – visualised as a flowchart and directly applicable to daily operations.
Documented & VisualisedOur Tool
Rather than a plain collection of policies, we provide a documented and visualised process model that translates the requirements of the CADIS modules into a repeatable, auditable workflow – from gap analysis to assessment-ready evidence for DEKRA.
Our Approach
Structured, predictable and without surprises – our proven approach follows the 8-stage CADIS assessment process and leads to documentation that genuinely holds up to DEKRA.
01
Free initial consultation, clarify the likely assessment scope and Level of Examination (LoE), create a project plan.
02
Assess existing information security (ISMS, OT), compare it against the relevant CADIS modules, identify gaps and action areas.
03
Build a new CADIS management system or extend an existing ISMS (e.g. per ISO 27001/TISAX) to cover the CADIS requirements.
04
Apply the CADIS process model and policy templates, conduct risk assessments, implement technical and organisational measures (TOM) for IT and OT.
05
Train employees via the e-learning portal, jointly define and compile the evidence required for the DEKRA assessment.
06
Support the DEKRA kick-off and main assessment, manage non-conformities, prepare the surveillance audit in year two.
CADIS & Other Standards
CADIS takes into account all relevant norms and standards in the field of cybersecurity and can be integrated into existing management systems. CONSUVATION connects CADIS with your established standards.
If you already have an ISMS per ISO 27001, the CADIS requirements can be pragmatically integrated into it rather than building a parallel system. ISO 27001 provides the ISMS foundation for several CADIS modules.
Companies with a TISAX assessment already have robust evidence regarding information security and, in part, OT availability. This evidence can be directly reused for several CADIS modules.
NIS2 affects the defence and armaments industry – in principle, all companies in the sector are considered critical under NIS2, regardless of revenue or employee thresholds. CADIS provides the structured evidence that practically covers NIS2 requirements.
CADIS addresses OT risk in manufacturing through a dedicated module. IEC 62443 provides the technical reference standard for industrial automation and control systems (IACS) – CONSUVATION brings both perspectives together.
Several CADIS modules require evidence of contingency and continuity capability for defence suppliers. An established BCMS per ISO 22301 provides the structured foundation and directly usable evidence for this.
Germany's IT Security Act (BSIG) forms a further regulatory framework for cybersecurity. CADIS modules pick up its requirements and translate them into an industry-specific assessment format for the defence supply chain.
Core Elements
CADIS requires more than a self-declaration – it is about lived processes, robust technical measures, and documentation that holds up to DEKRA.
Clarify your role in the supply chain and the relevant CADIS modules, interpret the contracting party's Supplier Criticality Evaluation (SCE) result, anticipate the Level of Examination.
Senior management takes responsibility for cyber resilience in the supply chain, provides resources, and designates a responsible function or external officer.
Systematically identify, analyse and prioritise risks for IT and OT – including supply chain and third-party risks.
Review existing TOM, develop and implement a target model, adapt security incident and reporting processes to CADIS requirements.
Train employees via e-learning on the relevant CADIS modules, demonstrate effectiveness through testing, document attendance certificates.
Systematically compile the evidence required for the DEKRA assessment, track module status via dashboards, prepare the surveillance audit in year two.
Implementation Checklist
Services
From gap analysis to a successfully passed DEKRA audit – all from a single source, with senior consultants and an official DEKRA consulting partnership.
01
Systematic as-is/to-be comparison against the relevant CADIS modules: what exists, what is missing, what must be prioritised – clearly documented with an action plan.
02
Full setup of a CADIS management system or pragmatic extension of your existing ISMS (e.g. ISO 27001, TISAX) to cover the CADIS requirements.
03
Deployment of our CADIS process model with ready-made policy templates and organisational tools for all 14 modules – individually tailored to your company.
04
Review of existing TOM for IT and OT, development of a target model, and support in selecting suitable technical security solutions.
05
E-learning platform with suitable training content for the CADIS modules in German and English, effectiveness verification via test and automatic attendance certificate.
06
Dashboards individually tailored to your system environment for managing CADIS operations: module status, action tracking and management reporting.
07
A fixed point of contact acting as project coordinator, documentation owner and interface to DEKRA – available remotely, with optional on-site visits.
08
Support for kick-off, main assessment and interviews with DEKRA, non-conformity management through to sign-off, preparation of the surveillance audit in year two.
Frequently Asked Questions
Our CADIS Solutions
Project plan, process models, training portal, dashboard and external CADIS officer – all from a single source. Scalable for small, mid-sized and large companies.
The 5 Building Blocks of Our Complete CADIS Solution
CADIS Management System
Foundation & Governance
Process Models & Policies
Up to All 14 Modules
Training Portal
DE & EN, AI & OT Modules
CADIS Dashboard
Module Status & Tracking
External CADIS Officer
Remote + Optional On-Site
Entry-level solution for small suppliers. Includes all essential building blocks for the first up to 6 CADIS modules – pragmatic, fast and cost-efficient.
Complete CADIS solution for mid-sized suppliers – including up to 10 modules, a gap analysis workshop and an external CADIS officer with optional on-site visits.
Maximum solution for complex organisations – with multi-site planning, all 14 modules, a dedicated CADIS officer and individually drafted policies.
Detailed Package Comparison
The Building Block in Detail
Cybersecurity in the defence environment is a cross-functional role – it touches IT, OT, HR, procurement and corporate leadership at the same time. Many companies have neither the internal capacity nor the specific CADIS expertise for this role. Our external officer takes on this function as a fixed point of contact, coordinator and accountable owner – available remotely, with optional on-site visits from the Professional package onward.
Steering the preparation process, coordinating with departments, tracking progress.
Keeping all evidence, policies and processes complete and up to date.
Continuous review of implementation status, prioritising open actions.
Point of contact during the assessment, coordinating kick-off, interviews and the audit.
Creating an action plan and supporting implementation through to sign-off.
Preparing and supporting the surveillance audit in the second year.
All packages include an individual project plan and are tailored to your company. Remote support included – on-site visits available on request. Schedule a Consultation Now →
Our Expertise
CONSUVATION deploys exclusively senior consultants. With over 25 years of consulting experience in information security, IT security, OT, compliance, data protection and risk management, we are among the most experienced CADIS consulting firms in the DACH region.
Our consultants bring experience from numerous ISO 27001, TISAX and OT security projects. We combine this practice-proven knowledge with the specific requirements of the 14 CADIS modules to develop an assessment preparation that genuinely holds up to DEKRA.
As active members of ISO working groups (including ISO 27001), we bring insider knowledge that flows directly into your CADIS implementation.
Our Module Expertise: All 14 CADIS Areas
CONSUVATION offers solution models for all 14 CADIS assessment areas, which we individually adapt to your company. Our modules are aligned with the relevant standards (ISO 27001, IEC 62443, NIS2) and ensure an audit-compliant implementation – without duplicate work, with maximum standards coverage.
Experienced consultants for CADIS – from gap analysis to a successfully passed DEKRA audit
The most renowned ISACA certifications – from IT audit to IT governance to risk management
An integrated security framework for IT and OT – in a single project, without duplicate work
Experience from information security, OT security, data protection, BCM and risk management projects
Get Started Now
Let's work out together where your company stands today – and what it needs to meet the CADIS requirements in a structured, pragmatic way. In a free, no-obligation 30-minute initial call, we'll clarify the assessment scope, the likely LoE, and the right package for you.