ISO 27001 certification: ISMS certification according to ISO/IEC 27001

Contact us

Certified information security in accordance with ISO/IEC 27001

Information technology systems have become an integral part of everyday business life. At the same time, the threat of cyber attacks and data theft is constantly increasing.

With an ISO 27001-certified Information Security Management System (ISMS), you can guarantee the availability, confidentiality and integrity of operational information, data and processes

The internationally recognized ISO 27001 standard, which defines the requirements for the introduction, implementation, operation and improvement of an ISMS, serves as a guideline. 
 

  Independent proof of information security

A successful ISO 27001 certification provides objective proof that you meet the requirements of the standard for information security.
 

   Systematic approach to improve IT security

You identify and eliminate potential security risks and systematically and continuously optimize IT security within your company.
 

  Increased competitiveness

ISO 27001 certification demonstrates your commitment to information security and sets you apart from the competition.
 

  

  

What is ISO 27001?

ISO 27001 certification provides companies and organizations with objective evidence that they have an effective Information Security Management System (ISMS) in place to protect their business information, data and systems against hacker attacks and data loss in the best possible way.

It is based on the leading international standard ISO 27001, which is aimed at private and public companies as well as non-profit organizations and provides systematic guidance for planning, implementing, monitoring and improving an ISMS. The standard covers not only IT processes, but also takes into account aspects of infrastructure such as organization, personnel and buildings.

ISO 27001 is structured according to the PDCA (Plan-Do-Check-Act) cycle and thus pursues a holistic, step-by-step and quality-oriented improvement of information security.

Benefits of ISO 27001 certification

Sustainable protection for sensitive data
You effectively protect information, data & business processes against cyber attacks & data theft.
 

Independent proof of trust and compliance
With ISO 27001 certification, you can increase the confidence of your customers and business partners.
 

Continuous improvement
You increase the availability of your IT systems & processes and establish monitoring & control mechanisms. 
 

Employee awareness
Through certification, you can raise awareness of information security and data protection among your employees
 

Identify security vulnerabilities
Minimize IT security risks by systematically identifying potential vulnerabilities.
 

International recognition
With ISO 27001 certification, you meet internationally recognized requirements for information security.
 

Successful cost reduction
Reduce costs by optimizing inefficient processes & preventing security incidents.
 

Reduction of insurance premiums
ISO 27001 certification can have a positive impact on your insurance premiums. 
 

The new ISO 27001:2022

The international standard ISO 27001 was revised in October 2022. The new ISO/IEC 27001:2022 replaces the previous version ISO/IEC 27001:2013. 


The main changes at a glance: 

 Adaptation to the Harmonized Structure (HS; formerly High Level Structure)

 Greater emphasis on process orientation:
   – Identification of required processes & their interactions
   – Definition of process criteria
   – Consideration of impacts & interactions when making changes to the ISMS

 Updating & restructuring Appendix A: reduction from 114 to 93 measures (“controls”) in 4 (instead of 14 previously) sections

 Greater emphasis on cyber security & data protection in the context of information security

 Further clarifications & specifications

Transition to the new ISO 27001:2022 must take place by 31.10.2025.

Gap analyses & internal audits can already be carried out with our support. Do not hesitate to contact us.

ISO 27001 certification process

A step-by-step guide to ISO 27001 certification: We guide you through the entire certification

  

1. 

Pre-audit (optional)

Determination of readiness for certification:
Compliance of the standard requirements, identification of non-conformities and ambiguities

2. 

Certification audit (stage 1)

Document review, site assessment and determination of readiness for the subsequent stage 2 audit

3. 

Certification audit (stage 2)

Audit of effectiveness, compliance and conformity to the standard, more intensive examination of documents and other audit methods

4. 

Successful certification  

Issue of the proposed ISO 27001 certificate when all the requirements of the standard have been met

5. 

Surveillance audit

Conducted in the first and second year after successful certification 

6. 

Re-Certification

Conducted 3 years after certification, extending the validity of the certificate

ISO 27001 audits

Independent of our certification services, we also offer you GAP analyses and internal audits in accordance with ISO 27001, which you can use to identify potential weaknesses in your ISMS. To ensure an optimal transition to ISO 27001:2022, these can also be conducted in accordance with the new standard.

Contact us

Frequently asked questions (FAQ):

What are the requirements for ISO 27001 certification?

The main normative part of ISO 27001 is relevant to certification and includes the following chapters and requirements:

  • Context of the organization: defining the specific scope of the ISMS; conducting a requirements and environment analysis.
  • Leadership and commitment: Requirements for the responsibility of the organization's management; roles, responsibilities & authorities in the organization; company policy.
  • Planning: Measures for dealing with risks & opportunities; defining information security objectives and planning how these can be achieved.
  • Support: Requirements to ensure ISMS effectiveness (resources, competencies, security awareness, communication, documented information)
  • Operation: Operational planning & control; Regular risk assessment & handling.
  • Evaluation of performance: Monitoring, measurement, analysis & evaluation of measures and achievement of objectives; Internal audits; Management review.
  • Improvement: Non-compliance & corrective actions; Continuous improvement of the ISMS.

In addition, the controls from normative Annex 1 must be observed and implemented.

How do I prepare for ISO 27001 certification?

As the basic prerequisite for ISO 27001 certification is the implementation of an ISMS, this is preceded by many preparatory activities on the customer side..

These include, among other things: 

  • Determination of the specific area of application (scope)
  • Define an Information Security Policy & Information Security Objectives 
  • Develop measures to address risks & opportunities
  • Develop a risk assessment & risk management methodology
  • Develop a Statement of Applicability
  • Define roles, responsibilities & authorities within the organization
  • Create of a list of assets
What are the requirements for ISO 27001 certification?

The central requirement of the standard and therefore the basic prerequisite for certification in accordance with ISO 27001 is the successful implementation of an ISMS. In addition, organizations should have an effective risk management system in place that addresses the assessment and management of existing and potential security risks (risk analysis strategy).

Do I also meet the requirements of the GDPR with ISO 27001 certification?

ISO 27001 and the GDPR overlap in many areas. For example, both address the goal of ensuring the confidentiality, availability and integrity of data or pursue a risk-based approach. However, the GDPR has a broader scope, which means that while an ISO 27001 certification can simplify GDPR compliance, it cannot cover it completely. 

How long does ISO 27001 certification take?

The time it takes to achieve ISO 27001 certification depends on a number of factors, such as the size of your organization (number of sites and employees), the complexity of your processes and your internal capabilities. It is therefore not possible to give a general answer to this question. However, one thing is certain: the larger and more complex your organization, the longer it will take to achieve ISO 27001 certification.
Please contact us for a more detailed assessment.

What is the validity of ISO 27001 certification?

The ISO 27001 certificate is valid for a maximum of 3 years.

A surveillance audit is carried out in the first and second year after successful ISO 27001 certification.

After 3 years, a recertification audit is carried out to check that the requirements for renewal are still met. 

What are the costs of ISO 27001 certification?

The costs for ISO 27001 certification vary depending on the size and situation of the company. The decisive factor here is the number of days required for the two certification audits. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.

We would be happy to provide you with an individual offer. 

KRITIS: Can ISO 27001 certification also serve as proof for KRITIS companies?

An ISO 27001 certification does not automatically cover the entire scope relevant for the evidence according to §8a BSIG. Therefore, an ISO 27001 certificate can be used as part of a certificate, but not as a certificate itself. The prerequisite for this is that the scope of the certificate fully covers the critical infrastructure or critical service.

In general, the following general conditions must be met: 

  • Scope: The scope must include the facilities operated in accordance with the BSI Critical Infrastructure Ordinance.
  • Extended scope: Extension of the scope to include outsourced areas & implementation of a comprehensive security assessment from a KRITIS perspective. 
  • Consideration of KRITIS protection goals: Appropriate definition of KRITIS protection objectives to be included in the risk assessment and to be considered consistently in all processes and implementation of measures. 
  • KRITIS IT protection requirements: Assessment of the protection objectives of availability, confidentiality, integrity and authenticity in relation to the maintenance of the critical service (risk management).
  • Risk management: In particular, the level of a risk to the general public, i.e. the impact on the functionality of the critical infrastructure and the critical service, must be taken into account. Appropriateness must be considered in the selection of measures. 
  • Implementation of measures: In principle, all measures required to maintain the critical service must be implemented. All measures that are only being planned – for example in the continuous improvement process, in the implementation plan or in the risk treatment plan – must be included in the list of security deficiencies according to § 8a (3) BSIG. 

Why we are a strong partner for you

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

Expertise

With us you have one of the leading experts in the field of cyber security at your side, certified by the BSI as an IT security service provider for IS revision and penetration tests.

International network of experts

Around the globe: We support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

 

You have questions? We are pleased to help!

  

Samantha Murmann

Product Manager Data Protection & E-Health 

+49 201 8999 699
s.murmann@tuvit.de

Tobias Mielke

Lead Expert Information Security & Privacy  

+49 201 8999 553
t.mielke@tuvit.de