ISO/IEC 27001 – Certify your Information Security Management System (ISMS)
On this page
What is ISO/IEC 27001?
ISO/IEC 27001 has established itself internationally as the central standard for information security. For this reason, the standard is also used, among other things, in meeting the requirements of the EU NIS-2 Directive (the EU Directive on network and information security) or in audits providing evidence for critical infrastructures (KRITIS).
An ISMS to be certified goes beyond purely technical IT security and takes a holistic view of protecting your key information and assets within the scope you have defined.
With ISO/IEC 27001 certification, you can demonstrate the status and quality of your established ISMS through us as an independent and accredited conformity assessment body – for example externally to customers, suppliers or authorities, but also internally to your employees and shareholders.
Our accreditation by the German Accreditation Body (DAkkS) guarantees that we have implemented high internal quality standards (including to DIN EN ISO/IEC 17021), which are regularly reviewed for effectiveness by DAkkS. Furthermore, accreditation ensures the national and international recognition of your certificate.
Benefits of ISO/IEC 27001 certification
Process of a certification procedure
The general certification cycle is designed for three years due to the validity of the certificates and consists of the following phases:
- Initial certification / recertification
- Only for initial certification: Stage 1 audit (document review / adequacy review of the ISMS)
- Stage 2 audit / recertification (effectiveness review of the ISMS)
- First surveillance audit (no later than 12 months after the certificate is issued)
- Second surveillance audit (approx. 24 months after the certificate is issued)
In the fourth year, the certification cycle starts again with the so-called recertification audit.
An initial certification is divided into a Stage 1 and a Stage 2. The aim of Stage 1 is essentially to determine certification readiness. This is a pure adequacy review of the management system. The result of a Stage 1 audit is a statement as to whether the ISMS is appropriately structured and whether the existing documents and records are sufficient to proceed to a Stage 2. When determining the interval between Stage 1 and Stage 2, your needs are taken into account in order to find solutions to the identified weaknesses. The interval may not exceed six months. The aim of the Stage 2 audit is to assess the implementation, including the effectiveness, of the management system. With regard to ongoing compliance with the standard, the certified organisation is subject to surveillance by RSM Certification GmbH. These surveillance audits take place at least once a year following successful certification. The recertification audit marks the end of the three-year certification cycle and the start of the new cycle; it should take place and be completed before the certificate expires. The aim is to confirm the continued conformity and effectiveness of the management system as a whole, as well as its ongoing relevance and applicability to the scope of certification.
Your path to ISO/IEC 27001 certification
Submit an enquiry and optionally arrange an introductory meeting via video call at short notice
Quotation
Complete our basic data as a basis for an initial understanding of your organisation and for preparing the quotation
Place the order with RSM Certification GmbH and jointly coordinate the next steps (including scheduling)
Only for an initial certification: to gain a better understanding of your organisation and your ISMS, we usually carry this out in a joint remote session. Aim: to determine certification readiness
Conducting the Stage 2 audit / recertification audit, the effectiveness review of your ISMS
Technical review of the auditor(s)' documentation and the certification decision by RSM Certification GmbH
Issuing the certificate
Handover of the audit report, the certificate and the certification seal
Reviewing the continuous development of the ISMS as part of the surveillance audits
Certification by RSM Certification GmbH
Would you like us to certify you? Feel free to get in touch with us without obligation.
Get in touch without obligation
FAQ
No blanket answer is possible here, as this depends on a wide variety of factors, such as the number of employees within the scope, the number of sites and disaster recovery sites, the complexity of the processes and the management system, the extent of information system development (within the ISMS), or the type(s) of business conducted within the scope. A wide range of requirements – for example from ISO/IEC 27006 or the IAF MD documents 1, 2 or 5 – mean that the effort can vary considerably. To be able to estimate the costs, we have designed specific basic-data enquiries that allow us to estimate this effort as accurately as possible. We are fundamentally transparent about our effort calculation and also explain, among other things in joint discussions, how the effort is made up in each case.
A distinction between a Stage 1 and a Stage 2 audit formally exists only in an initial certification. The reason is that a Stage 1 audit is intended solely to assess certification readiness – i.e. the question: in terms of documentation, are you ready to plan and carry out the certification audit (Stage 2)? A large part of the total effort of an audit therefore lies in the Stage 2 audit. Purely in terms of requirements, a distinction is made between an audit part and a documentation part, whereby the audit part must comprise at least 70% (e.g. for ISO/IEC 27001 audits) or at least 80% (for ISO 9001 audits). Of this time, roughly 15–20% is again attributable to a Stage 1 audit.
For sensible and reliable planning on all sides, we would like a lead time of approximately 4–6 months. However, the postponement of audits can repeatedly open up shorter-term opportunities to carry out an audit after all. So please get in touch with us directly to discuss your requirements personally.
Your QMS and ISMS can be audited and certified in combination with a wide range of standards. On the one hand, ISO/IEC 27001 has the extensions within the ISO/IEC 27000 family itself, such as ISO/IEC 27005, ISO/IEC 27017, ISO/IEC 27018 or ISO/IEC 27019, with which it can be audited in combination. On the other hand, ISO/IEC 27001 and ISO 9001 can be audited together, but can also be extended with further standards from the same family, for example: energy management systems (ISO 50001); environmental management systems (ISO 14001).
One option is to make use of what ISO/IEC 27001 requires. According to ISO/IEC 27001 clause 6.1.3, a Statement of Applicability (SoA) must be prepared, containing: the necessary controls; reasons for their inclusion; whether the necessary controls are implemented or not; reasons for the exclusion of controls. This could be extended with an assessment of the degree of implementation of the requirements. There are various ways to measure this, e.g. a percentage assessment. In addition, you could extend the SoA to include the requirements from clauses 4–10 of ISO/IEC 27001. You would then have a complete mapping of all requirements and could at the same time assess the implementation status there, thus also using the SoA as a management tool.
The first key difference lies in responsibility. The body in charge of the procedure for ISO 27001 based on IT-Grundschutz is the German Federal Office for Information Security (BSI). For ISO/IEC 27001:2022 audits by accredited conformity assessment bodies, DAkkS is the central accreditation body in Germany. Another key difference is the audit basis. Where this is ISO/IEC 27001:2022 in an ISO 27001 audit, for ISO 27001 based on IT-Grundschutz it is the IT-Grundschutz Compendium. IT-Grundschutz also goes deeper in terms of the requirements in information technology. In addition, in its respective modules, the BSI defines specific and more comprehensive requirements for your ISMS compared with ISO/IEC 27001. There are also various differences in the formal requirements. The BSI has its own prerequisites that must be met for audit team leaders. Audit team leaders certified by the BSI who carry out ISO 27001 audits based on IT-Grundschutz are listed on the BSI website. Auditors permitted to carry out ISO/IEC 27001 audits through RSM Certification GmbH are not automatically permitted to carry out IT-Grundschutz audits, and vice versa. The ISO 27001 audit based on IT-Grundschutz must also be officially applied for at the BSI, including a declaration of independence from the auditor(s). The applying organisation then receives an ID, which must be used in future communication with the BSI. For certification to ISO/IEC 27001:2022, no application to DAkkS is required; commissioning the certification body is sufficient to begin the certification process. The two procedures therefore differ fundamentally.