1. Define your IAM requirements

Before contacting a consultant, clarify internally: What do you want to achieve? The most common starting points are:

• Compliance Pressure: NIS2, DORA, GDPR, and industry-specific requirements (BaFin, BAIT, KRITIS) mandate verifiable access controls and audit trails.
• Security incident: An attack or an internal audit has revealed vulnerabilities in access management.
• Digitalization: Cloud migration, M&A, or new business models require a scalable identity infrastructure.
• Technology migration: Replacing SAP IDM, legacy IAM, or consolidating multiple systems.

 

2. Understand the various IAM disciplines

Not every IAM consultant covers all areas. Make a distinction between:

• IAM (Identity & Access Management): Management of user identities and access rights throughout the entire lifecycle.
• IGA (Identity Governance & Administration): Compliance, role management, access certification, and audit trails.
• PAM (Privileged Access Management): Protection of administrative and privileged accounts — critical for NIS2 and KRITIS.
• CIAM (Customer IAM): Secure, scalable identity solutions for external users and customers.

A specialist consultant who covers all four areas is generally better than a generalist—especially in complex enterprise environments.

 

3. Assess platform expertise and vendor neutrality

Leading IAM platforms such as SailPoint, One Identity, Microsoft Entra ID, Ping Identity, and Saviynt differ significantly in terms of architecture, licensing models, and suitability for various industries. Ask yourself these questions:

• Is the consultant vendor-neutral, or does he favor certain products for commercial reasons?
• What certifications does the team hold on the relevant platforms?
• Can the consultant provide examples of projects completed on the desired platform?

 

4. Evaluate industry experience

IAM in the financial sector differs fundamentally from IAM in the healthcare sector. Regulatory requirements, system landscapes, and risk profiles are industry-specific. Check the following:

• Finance / Banking: Experience with BaFin requirements, BAIT, DORA, and integration into core banking systems.
• Healthcare: Knowledge of ePA, KHZG, data protection requirements, and clinical system landscapes (HIS, RIS, PACS).
• Critical Infrastructure (KRITIS): Experience with BSI requirements, NIS2, and OT/IT convergence.

 

5. Consider the entire lifecycle

Many consultants implement the solution—but who manages it afterward? A good IAM partner guides you through every stage:

1. Strategy & Concept: Current State Analysis, Target Architecture, Roadmap.
2. Implementation: Technical implementation, integration, testing.
3. Operations: Ongoing support, updates, incident management.
4. Training: Empowering your team to operate independently.

 

6. Regional Presence and Language Proficiency

For enterprise projects in Germany, Austria, and Switzerland (DACH) and the Benelux countries, a regional presence is crucial—not only for workshops and go-lives, but also for communicating with business units, works councils, and regulatory authorities. A consultant with offices in Germany and the Netherlands understands the local regulatory context.

 

7. Asking the Right Questions During the Initial Interview

Ask potential IAM consultants these questions:

• How many consultants are full-time employees—and how many are freelancers?
• Can you name three completed projects in my industry?
• What does your handover process look like after implementation?
• Which platform would you recommend for our needs—and why?
• How do you handle NIS2 compliance requirements?

 

Why Identity Team?

Identity-Team GmbH is a specialized IAM consulting firm with 25 certified consultants and offices in Straubenhardt (Germany) and Apeldoorn (Netherlands). Since 2019, we have been supporting enterprises in the DACH and Benelux regions with complex IAM, IGA, PAM, and CIAM projects—vendor-neutral, audit-ready, and NIS2-compliant.