Skip to content

discovered, explained

ISO 27001

ISO 27001 certification provides companies with objective proof that they operate an effective information security management system (ISMS) that protects their operational information, data and systems against hacker attacks and data loss in the best possible way.

Information security according to ISO/IEC 27001

It is based on the leading international standard ISO 27001, which is aimed at private and public companies as well as non-profit organisations and provides them with systematic guidelines for planning, implementing, monitoring and improving an ISMS. The standard not only relates to IT processes, but also takes into account aspects of infrastructure such as organisation, personnel and buildings.

ISO 27001 is structured according to the PDCA cycle (Plan-Do-Check-Act) and thus pursues a holistic, step-by-step and quality-orientated improvement of information security.

Independent proof

Successful ISO 27001 certification provides objective proof that you fulfil the requirements of the information security standard

Optimised IT security

You identify and eliminate potential security risks and systematically and continuously optimise IT security within your company.

Increasing competitiveness

ISO 27001 certification demonstrates your commitment to information security and sets you apart from the competition.

Special features of ISO 27001

  • Internationally recognised standard with worldwide applicability
  • Defines basic, conceptual requirements, but does not contain any specific, technical security measures
  • Flexibility in the individual implementation & design of the ISMS
  • Generic design requires companies to take greater initiative

The benefits of ISO 27001 certification for you

  • Sustainable protection of sensitive data
    You effectively protect information, data and business processes against cyber attacks and data theft.
  • Continuous improvement
    You increase the availability of your IT systems & processes and establish monitoring & control mechanisms.
  • Identification of security gaps
    You minimise IT security risks by systematically uncovering potential vulnerabilities.
  • Successful cost reduction
    You reduce costs by optimising inefficient processes & avoiding security incidents.
  • Independent proof of trust & compliance
    With ISO 27001 certification, you strengthen the trust of your customers & business partners.
  • Sensitisation of employees
    Certification raises your employees' awareness of information security & data protection.
  • International recognition
    With ISO 27001 certification, you fulfil internationally recognised information security requirements.
  • Reduction in insurance premiums
    ISO 27001 certification can have a positive impact on the amount of your insurance premiums.

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Frequently Asked Questions (FAQ)

What you need to know about ISO 27001

The main normative part of ISO 27001 is decisive for certification and comprises the following chapters and requirements:

  • Context of the organisation: Determining the specific scope of the ISMS; conducting a requirements and environment analysis.
  • Leadership and commitment: Requirements for the responsibility of the organisation's management; roles, responsibilities and authorities in the organisation; company policy.
  • Planning: Measures for dealing with risks & opportunities; defining information security objectives and planning how these can be achieved.
  • Support: Requirements to ensure ISMS effectiveness (resources, competences, security awareness, communication, documented information)
  • Operation: Operational planning & control; Regular risk assessment & treatment.
  • Evaluation of performance: Monitoring, measuring, analysing & evaluating measures and achievement of objectives; Internal audits; Management review.
  • Improvement: Non-compliance & corrective actions; Continuous improvement of the ISMS.

In addition, the controls from the normative Annex 1 must be observed and implemented.

The duration of an ISO 27001 certification depends on various factors such as the size of your company (number of locations and employees), the complexity of the processes or the internal capacities. It is therefore not possible to give a generalised answer to this question. However, one thing is certain: the larger and more complex your company is, the longer it will take to achieve ISO 27001 certification.

Please contact us for a more detailed assessment.

As the basic prerequisite for ISO 27001 certification is the implementation of an ISMS, this is preceded by many preparatory activities on the customer side.

These include, among other things

  • Determination of the specific area of application (scope)
  • Definition of an information security policy & information security objectives
  • Development of measures for dealing with risks & opportunities
  • Development of a risk assessment & risk treatment methodology
  • Elaboration of a declaration of applicability
  • Determination of roles, responsibilities & authorities in the organisation
  • Creation of a list of assets

The ISO 27001 certificate is valid for a maximum of 3 years.

A surveillance audit is carried out in the first and second year after successful ISO 27001 certification.

After 3 years, a recertification audit is carried out to check whether the requirements for renewing the certificate are still met.

The central requirement of the standard and therefore the basic prerequisite for certification in accordance with ISO 27001 is the successful introduction of an ISMS. In addition, companies should have established an effective risk management system that deals with the assessment and treatment of existing and potential security risks (risk analysis strategy).

The cost of ISO 27001 certification varies depending on the size and situation of the company. The decisive factor here is the number of days required for the two certification audits. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.

We would be happy to provide you with a customised quote.

ISO 27001 and the GDPR overlap in many areas. For example, both address the goal of ensuring the confidentiality, availability and integrity of data or pursue a risk-based approach. However, the GDPR has a broader scope, meaning that companies can simplify compliance with the GDPR through ISO 27001 certification, but cannot cover it completely.

An ISO 27001 certification does not automatically cover the entire scope relevant for proof in accordance with §8a BSIG. Therefore, an ISO 27001 certificate can be used as part of a certificate, but not as a certificate itself. The prerequisite for this is that the scope of the certificate fully covers the critical infrastructure or the critical service.

In general, the following conditions must be met:

  • Scope of application: The scope of application must include the facilities operated in accordance with the BSI Critical Infrastructure Ordinance.
  • Extended scope: Extension of the scope to include outsourced areas & implementation of a comprehensive security assessment from a KRITIS perspective.
  • Consideration of KRITIS protection goals: Appropriate definition of KRITIS protection objectives to be included in the risk assessment and to be observed throughout all processes and implementation of measures.
  • KRITIS IT protection requirements: Assessment of the protection objectives of availability, confidentiality, integrity and authenticity in relation to the maintenance of the critical service (risk management).
  • Dealing with risks: In particular, the extent of a risk to the general public, i.e. the impact on the functionality of the critical infrastructure and the critical service, must be taken into account. Appropriateness must be taken into account when selecting measures.
  • Implementation of measures: In principle, all measures required to maintain the critical service must be implemented. All measures that are only being planned - for example in the continuous improvement process (CIP), in the implementation plan or in the risk treatment plan - must be included in the list of safety deficiencies in accordance with § 8a (3) BSIG.