Man and a woman with a laptop in a server room

ISO 27001 Certification

Your inquiry


Information security with a system

The topic of "Information Security" is becoming increasingly urgent for companies in the course of digital transformation. Without sufficient security precautions, there is a risk of data loss and data theft by hackers, of business breakdowns due to attacks via the web or misuse of data. One option for a structured approach is an Information Security Management System (ISMS) according to ISO 27001.

对于正在进行数字化转型的企业来说,"信息安全 "这一话题正变得日益紧迫。如果没有足够的安全防范措施,就会有数据丢失和被黑客窃取的风险,也会有因网络攻击或数据滥用而导致业务中断的风险。根据 ISO 27001 标准建立信息安全管理系统(ISMS)是结构化方法的一种选择。

Show more
Show less

Demonstrable data and information security

Information security as part of the corporate culture

Effective implementation of a risk management process

Continuous improvement of your security level

Business10.png

What is ISO 27001?

ISO/IEC 27001 is the leading international standard for implementing a holistic management system for information security. It focuses on the identification, assessment and management of risks to information handling processes. The security of confidential information is emphasized as a significant strategic element.

Information surrounds us everywhere and is part of every process. Sometimes it may be inconsequential, but all too often it is critical and confidential. In order to make this important distinction for your organization, it is necessary to classify information. This is because the protective measures of an Information Security Management System (ISMS) according to ISO/IEC 27001 are based on this classification.

An ISMS creates the framework for protecting operational data and its confidentiality. At the same time, the globally recognized standard ensures the availability of the IT systems involved in corporate processes. In this context, ISO 27001 certification sends a strong signal to the market: namely, independent external evaluation and confirmation of the effectiveness of your ISMS.

The second edition of ISO/IEC 27001 dates back to 2013. Now, the internationally recognized standard for ISMS has been updated and republished in its third edition as ISO/IEC 27001:2022 on October 25, 2022. The revision is an inevitable consequence after ISO/IEC 27002, as the implementing guidance governing Annex A of ISO 27001, was comprehensively revised and published in February 2022. 

The transition period for existing ISO 27001 certificates is three years from the last day of the publication month of the new ISO/IEC 27001:2022, which means that all certificates according to ISO/IEC 27001:2013 must have been converted to the 2022  version of ISO 27001 by October 31, 2025, You can read about the new features of the ISO 27001 update in our article "The new ISO/IEC 27001:2022 - key changes". 

什么是 ISO 27001?

ISO/IEC 27001 是实施信息安全综合管理系统的领先国际标准。它侧重于识别、评估和管理信息处理流程的风险。保密信息的安全作为一个重要的战略要素得到了强调。

信息无处不在,是每个流程的一部分。有时,它可能无关紧要,但很多时候,它却是至关重要的机密信息。为了对组织进行这一重要区分,有必要对信息进行分类。因为根据 ISO/IEC 27001 标准,信息安全管理系统(ISMS)的保护措施就是基于这种分类。

ISMS 为保护操作数据及其机密性建立了框架。同时,这一全球公认的标准还能确保企业流程中所涉及的 IT 系统的可用性。在这种情况下,ISO 27001 认证向市场发出了一个强烈的信号:即对 ISMS 的有效性进行独立的外部评估和确认。

ISO/IEC 27001 的第二版可追溯到 2013 年。现在,这项国际公认的 ISMS 标准已更新,并于 2022 年 10 月 25 日重新发布了第三版,即 ISO/IEC 27001:2022。作为 ISO 27001 附件 A 的实施指南,ISO/IEC 27002 于 2022 年 2 月进行了全面修订并发布,此次修订是修订后的必然结果。

现有 ISO 27001 证书的过渡期为三年,从新版 ISO/IEC 27001:2022 发布月的最后一天算起,这意味着所有根据 ISO/IEC 27001:2013 颁发的证书必须在 2025 年 10 月 31 日之前转换为 2022 版 ISO 27001,您可以在我们的文章 "新版 ISO/IEC 27001:2022 - 主要变化 "中了解 ISO 27001 更新的新功能。

Show more
Show less
SEO19.png

Who is a certification to ISO 27001 suitable for?

The ISMS standard ISO 27001 applies worldwide. It provides companies of all sizes and industries with a framework for planning, implementing, and monitoring their information security. The requirements are applicable and apply to private and public companies as well as non-profit organizations.

In Germany, for example, companies that belong to a Critical Infrastructure Sector (KRITIS) and exceed a threshold must provide evidence of how they ensure their information security. KRITIS sectors include energy, water, health, finance and insurance, food, transport and traffic, information technology and telecommunications. Corresponding proof of implementation can be provided by security audits, tests or certifications. For this purpose, either recognized standards such as ISO 27001 or, alternatively, industry-specific security standards recognized by the German Federal Office for Information Security (BSI) can be used as the basis for auditing.

ISO 27001 认证适合哪些人?

ISMS 标准 ISO 27001 适用于全球。它为各种规模和行业的公司提供了规划、实施和监控信息安全的框架。这些要求适用于私营和上市公司以及非营利组织。

例如,在德国,隶属于关键基础设施部门(KRITIS)并超过一定门槛的公司必须提供证据,证明其如何确保信息安全。KRITIS 部门包括能源、水、卫生、金融和保险、食品、运输和交通、信息技术和电信。相应的实施证明可通过安全审计、测试或认证来提供。为此,可将 ISO 27001 等公认标准或德国联邦信息安全办公室 (BSI) 认可的特定行业安全标准作为审核依据。

Show more
Show less
Business11.png

What makes the ISO 27001 standard useful for my company?

The introduction of an ISMS according to ISO/IEC 27001 is a strategic decision for your company. The fulfillment of the standard's deliberately general requirements must reflect the specific situation of the company. Implementation in your company depends on the needs and goals, the security requirements and the organizational processes, as well as the size and structure of the company.

Annex A of ISO 27001, which is to be used in connection with section 6.1.3 on the basis of company-specific risk analyses, is particularly valuable in practice. The information security controls listed in Annex A are directly derived from and aligned with the measures listed in the current ISO 27002, Sections 5 to 8. 

Previously, Annex A of ISO/IEC 27001:2013 included a total of 114 controls to address information security risks, subdivided into 14 sections and 35 control objectives. In the new ISO/IEC 27001:2022-10, Annex A now contains 93 controls on relevant security aspects, which are assigned to 4 topic areas.

The consistent alignment of company processes with ISO 27001 has been proven to lead to a number of benefits:

  • Continuous improvement of the security level
  • Reduction of existing risks
  • Adherence to compliance requirements
  • Greater awareness among employees
  • Increased customer satisfaction

Internal audits and management reviews with the participation of top management are the internal levers for achieving this.

Other positive aspects are that interested parties such as supervisory authorities, insurance companies, banks, partner companies build up a higher level of trust in your company. This is because a certified management system signals that your organization deals with risks in a structured manner and subscribes to continuous improvement (CIP), making it more resistant to unwanted influences.

The international standard ISO/IEC 27001 can also be implemented, operated and certified independently of other management systems such as ISO 9001 (quality management) or ISO 14001 (environmental management)

什麼使 ISO 27001 標準對我的公司有用?

根據 ISO/IEC 27001 引入 資訊安全管理體系是貴公司的戰略決策。標準的一般要求的實現必須反映公司的具體情況。公司的實施取決於需求和目標、安全要求和組織流程,以及公司的規模和結構。

對實踐特別有價值的是標準附錄 A 中措施的實施。除了面向管理系統的要求部分(第 4 章至第 10 章)外,ISO 標準還包含 35 個措施目標(控制)的詳盡列表,其中包含 114 項具體措施,涉及附件 A 中的 14 個章節中的各種安全方面。措施必須在管理系統的框架內實施。這些措施必須作為管理系統的一部分實施,只要它們與您的公司相關。

事實證明,公司流程與 ISO 27001 保持一致可帶來許多好處:

  • 安全等級持續提升
  • 降低現有風險
  • 遵守合規要求
  • 提高員工的意識
  • 提高客戶滿意度

高層管理人員參與的內部審核和管理評審是實現這一目標的內部有效槓桿。

其他積極方面是監管機構、保險公司、銀行、合作夥伴公司等利益相關方對貴公司建立了更高水平的信任。這是因為經過認證的管理體系表明您的組織以結構化的方式處理風險並支持持續改進,從而使其更能抵抗不必要的影響。

ISO/IEC 27001 国际标准也可独立于其他管理体系(如 ISO 9001(质量管理)或 ISO 14001(环境管理))实施、运行和认证。

Show more
Show less
Business36.png

Who is allowed to carry out certification according to ISO 27001?

In order to certify an information security management system, the respective certification body itself must be accredited to ISO/IEC 17021 and ISO/IEC 27006. ISO/IEC 17021 regulates topics related to conformity assessment, specifically requirements for inspection bodies that audit and certify management systems.

In addition, ISO/IEC 27006 defines strict requirements that certification bodies must comply with in order to certify an ISMS according to ISO 27001.

These include:

  • Evidence of specified audit effort
  • Requirements for the qualification of auditors.

DQS is accredited by the national German accreditation body DakkS (Deutsche Akkreditierungsstelle GmbH) and therefore authorized to perform audits and certifications according to ISO 27001.

Regardless of the industry in which your company operates, you can rely on the distinctive expertise of DQS auditors. They have many years of experience in the assessment of information security management systems in various industries.

谁可以根据 ISO 27001 进行认证?

为了对信息安全管理系统进行认证,相关认证机构本身必须获得 ISO/IEC 17021 和 ISO/IEC 27006 的认可。ISO/IEC 17021 规定了与符合性评估相关的主题,特别是对审核和认证管理系统的检查机构的要求。

此外,ISO/IEC 27006 规定了认证机构根据 ISO 27001 认证 ISMS 时必须遵守的严格要求。

这些要求包括:

  • 特定审核工作的证据
  • 审核员资格要求。

DQS 已获得德国国家认证机构 DakkS(Deutsche Akkreditierungsstelle GmbH)的认可,因此有权根据 ISO 27001 执行审核和认证。

无论贵公司在哪个行业开展业务,您都可以信赖 DQS 审核员与众不同的专业知识。他们在评估各行业信息安全管理系统方面拥有多年经验。

Show more
Show less

BCM and information security: an unbeatable team

Integrating business continuity management (BCM) and information security management provides the basis for increasing resilience and security in companies – especially in a world characterized by ever more complex threats. With ISO 27001 (information security management system) and ISO 22301 (business continuity management system) certification, organizations meet increased demands for the availability of their critical business processes and sensitive information.An integrated approach offers decisive advantages:

  • All-hazards approach: While ISO 27001 focuses on protecting information and data from loss, theft or manipulation, ISO 22301 ensures that companies can continue to operate and quickly return to normal operations even in the face of other threats (supply chain disruptions, power outages, extreme weather events).
  • Effective threat prevention: The close link between the two management systems enables organizations to address risks both preventively and reactively – from cyber attacks to natural disasters, an effective emergency and crisis management system is established
  • Synergy effects: A parallel implementation of both standards reduces the effort required for integration and certification. Processes can be harmonized, interfaces optimized and duplicate work avoided. Individual elements of ISO 22301 are already required in ISO 27001.

With certification, companies not only prove their ability to avert dangers comprehensively, but also strengthen the trust of customers, partners and stakeholders when a cyber attack or other security incident occurs. BCM and information security are more than the sum of their parts – they are an unbeatable team for future-proofing your company.

 

业务连续性管理 (BCM) 和信息安全管理的整合为提高公司的弹性和安全性提供了基础,尤其是在威胁日益复杂的世界中。通过 ISO 27001(信息安全管理系统)和 ISO 22301(业务连续性管理系统)认证,组织可以满足对其关键业务流程和敏感信息可用性的日益增长的需求。集成方法具有决定性的优势:

  • 全灾害方法:ISO 27001 专注于保护信息和数据免遭丢失、盗窃或操纵,而 ISO 22301 则确保公司即使在面临其他威胁(供应链中断、停电、极端天气事件)的情况下也能继续运营并迅速恢复正常运营。
  • 有效的威胁预防:两个管理系统之间的紧密联系使组织能够预防性和反应性地应对风险——从网络攻击到自然灾害,建立了有效的应急和危机管理系统
  • 协同效应:同时实施两个标准可减少集成和认证所需的工作量。可以协调流程、优化接口并避免重复工作。ISO 22301 的各个要素已在 ISO 27001 中被要求。

通过认证,公司不仅可以证明其全面避免危险的能力,还可以在发生网络攻击或其他安全事件时增强客户、合作伙伴和利益相关者的信任。BCM 和信息安全不仅仅是各部分的总和——它们是为您的公司做好未来准备的无与伦比的团队。

Show more
Show less
Business28.png

How does ISO 27001 certification work?

Once all requirements of ISO 27001 have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS. If a certified management system is already established in the company, the process can be shortened.

In the first step, you discuss your company and the goals of ISO 27001 certification with us. On this basis, you will receive a detailed offer tailored to the individual needs of your company.

The certification audit starts with the system analysis and evaluation of your ISMS (audit stage 1). Here, your auditor determines whether your management system is sufficiently developed and ready for certification. In the next step (system audit stage 2), your auditor assesses the effectiveness of all management processes on site, applying the ISO 27001 standard. The audit result is presented at a final meeting. If necessary, action plans are agreed upon.

After the certification audit, the results are evaluated by the independent certification board of DQS. If all standard requirements are met, you will receive the ISO 27001 certificate.

After successful certification, key components of your ISMS are re-audited on site at least once a year to ensure continuous improvement.

The ISO 27001 certificate is valid for a maximum of three years. Recertification is performed in good time before expiry to ensure ongoing compliance with the applicable standard requirements. Upon compliance, a new certificate is issued.

Banking13.png

What does ISO 27001 certification cost?

The four assessment criteria

Even though the ISO 27001 audit is to be performed according to structured specifications, the cost depends on various factors, such as the complexity of your organization. Therefore, there can be no one-size-fits-all offer for any given company.

The costs for certification according to ISO 27001 are established according to the following four criteria, among others:

1. The complexity of your information security management system.

The critical values (for example patents, personal data, facilities, processes) of your company are taken into account. The cost of certification is based primarily on the information security requirements and the extent to which confidentiality, integrity and availability (VIV) of information are affected.

2. The core business of your company within the scope of the ISMS

At this point, the risks associated with your business processes in particular play an important role in determining the necessary audit effort. Legal requirements are taken into account as well as complex, individual customer requirements.

3. The main technologies and components used in your ISMS

During the audit, the technology as well as the individual components of your ISMS are examined. These include IT platforms, servers, databases, applications as well as network segments. The basic rule here is: The higher the proportion of standard systems and the lower the complexity of your IT, the lower the effort. The costs of an ISO 27001 certification also depend on this.

4 The proportion of in-house developments in your ISMS

If there is no internal development and you mainly use standardized software platforms, the effort of an assessment is lower. If your ISMS is characterized by intensive use of self-developed software and if this software is used for central business areas, the effort for certification will be higher.

In order for us to be able to give you an overview of the costs for an ISMS certification, we need precise information about your business model and the area of application in advance. This way we can provide you with a tailor-made offer.

尽管 ISO 27001 审核是根据结构化规范进行的,但其成本取决于各种因素,如企业的复杂程度。因此,不可能为任何特定公司提供 "一刀切 "的报价。

ISO 27001 认证费用主要根据以下四项标准确定:

1. 信息安全管理系统的复杂程度。

考虑贵公司的关键价值(如专利、个人数据、设施、流程)。认证费用主要基于信息安全要求以及信息的保密性、完整性和可用性(VIV)受影响的程度。

2. 贵公司在 ISMS 范围内的核心业务

此时,与贵公司业务流程相关的风险尤其对确定必要的审计工作起着重要作用。法律要求以及复杂、个性化的客户要求都要考虑在内。

3. ISMS 中使用的主要技术和组件

在审核过程中,将对贵公司 ISMS 的技术和各个组成部分进行检查。其中包括 IT 平台、服务器、数据库、应用程序和网段。这里的基本规则是 标准系统的比例越高,IT 的复杂程度越低,所需的工作量就越小。ISO 27001 认证的成本也取决于此。

4 内部开发在 ISMS 中的比例

如果没有内部开发,主要使用标准化的软件平台,那么评估的工作量就会降低。如果贵公司 ISMS 的特点是大量使用自主开发的软件,而且这些软件主要用于中心业务领域,则认证工作的工作量会更大。

为了让我们能够为您提供 ISMS 认证的成本概况,我们需要您事先提供有关您的业务模式和应用领域的准确信息。这样我们才能为您提供量身定制的服务。

Show more
Show less
Business2.png

What you can expect from us

  • More than 35 years of experience in the certification of management systems and processes
  • Industry-experienced auditors and experts with strong technical knowledge
  • Value-adding insights into your company
  • Certificates with international acceptance
  • Expertise and accreditations for all relevant standards
  • Personal, smooth support from our specialists - regionally, nationally and internationally
  • Individual offers with flexible contract terms and no hidden costs

您可以从我们这里期待什么

  • 超过 35 年的管理体系和流程认证经验
  • 具有丰富行业经验的审核员和技术专家
  • 对贵公司的增值见解
  • 国际认可的证书
  • 所有相关标准的专业知识和认证
  • 我们的专家在地区、国家和国际层面为您提供个人化的顺畅支持
  • 灵活的合同条款和无隐藏费用的个性化服务
Show more
Show less
DQS Campus Events

ISO 27001:2022 Training Materials

Download the training materials for free.

Download
Contact-South-Asia-woman-shutterstock_1766529371.jpg

Request a quote

Your local contact

We would be happy to provide you with an individual quote for the ISO 27001 certification of your ISMS.

Your inquiry

The new ISO/IEC 27001:2022 - key changes

In this DQS blog post you will find the most important information about the key changes and additions in the revised ISO 27001:2022 standard.

To the blog post

Any Questions?

We are here for you.
Contact Us