discovered, explained
ISO 27001 certification provides companies with objective proof that they operate an effective information security management system (ISMS) that protects their operational information, data and systems against hacker attacks and data loss in the best possible way.
It is based on the leading international standard ISO 27001, which is aimed at private and public companies as well as non-profit organisations and provides them with systematic guidelines for planning, implementing, monitoring and improving an ISMS. The standard not only relates to IT processes, but also takes into account aspects of infrastructure such as organisation, personnel and buildings.
ISO 27001 is structured according to the PDCA cycle (Plan-Do-Check-Act) and thus pursues a holistic, step-by-step and quality-orientated improvement of information security.
The main normative part of ISO 27001 is decisive for certification and comprises the following chapters and requirements:
In addition, the controls from the normative Annex 1 must be observed and implemented.
The duration of an ISO 27001 certification depends on various factors such as the size of your company (number of locations and employees), the complexity of the processes or the internal capacities. It is therefore not possible to give a generalised answer to this question. However, one thing is certain: the larger and more complex your company is, the longer it will take to achieve ISO 27001 certification.
Please contact us for a more detailed assessment.
As the basic prerequisite for ISO 27001 certification is the implementation of an ISMS, this is preceded by many preparatory activities on the customer side.
These include, among other things
The ISO 27001 certificate is valid for a maximum of 3 years.
A surveillance audit is carried out in the first and second year after successful ISO 27001 certification.
After 3 years, a recertification audit is carried out to check whether the requirements for renewing the certificate are still met.
The central requirement of the standard and therefore the basic prerequisite for certification in accordance with ISO 27001 is the successful introduction of an ISMS. In addition, companies should have established an effective risk management system that deals with the assessment and treatment of existing and potential security risks (risk analysis strategy).
The cost of ISO 27001 certification varies depending on the size and situation of the company. The decisive factor here is the number of days required for the two certification audits. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.
We would be happy to provide you with a customised quote.
ISO 27001 and the GDPR overlap in many areas. For example, both address the goal of ensuring the confidentiality, availability and integrity of data or pursue a risk-based approach. However, the GDPR has a broader scope, meaning that companies can simplify compliance with the GDPR through ISO 27001 certification, but cannot cover it completely.
An ISO 27001 certification does not automatically cover the entire scope relevant for proof in accordance with §8a BSIG. Therefore, an ISO 27001 certificate can be used as part of a certificate, but not as a certificate itself. The prerequisite for this is that the scope of the certificate fully covers the critical infrastructure or the critical service.
In general, the following conditions must be met: