Information security with a system

The topic of "Information Security" is becoming increasingly urgent for companies in the course of digital transformation. Without sufficient security precautions, there is a risk of data loss and data theft by hackers, of business breakdowns due to attacks via the web or misuse of data. One option for a structured approach is an Information Security Management System (ISMS) according to ISO 27001.

What is an ISMS?

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
It can help small, medium and large businesses in any sector keep information assets secure.

How does ISO 27001 Work?

Most organizations have some information security controls in place. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention.

Security controls in operation typically address certain aspects of information technology (IT) or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole.

Moreover, business continuity management and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that the management to:

  • systematically evaluate the organization’s information security risks, taking into account the threats, vulnerabilities, and impacts;
  • establish and implement a comprehensive suite of information security controls and risk treatment (such as risk avoidance, reduction, or transfer) to address those risks that are deemed unacceptable; and
  • adopt a management process to ensure that the information security controls and residual risks meet the organization’s information security needs on a continuous basis.

在數字化轉型的過程中,“資訊安全”這個話題對企業來說越來越緊迫。如果沒有足夠的安全預防措施,則存在數據丟失和黑客竊取數據、網絡攻擊或數據濫用導致業務崩潰的風險。結構化方法的一個選項是根據 ISO 27001 的資訊安全管理系統 (ISMS)。

什麼是 ISMS?
ISMS 是一種管理組織的敏感信息以確保其安全的系統方法。它應用風險管理流程,包括人員、流程和 IT 系統。

ISO 27001 如何運作?
大多數組織都有一些資訊安全控制措施。然而,如果沒有資訊安全管理系統 (ISMS),控制往往會有些雜亂無章和脫節,通常作為針對特定情況的點解決方案來實施,或者只是作為慣例而實施。

運作中的安全控制通常專門針對資訊科技 (IT) 或數據安全的某些方面;使非 IT 信息資產(如文書工作和專有知識)總體上受到較少保護。

此外,業務連續性管理和物理安全的管理可能完全獨立於 IT 或資訊安全,而人力資源實踐可能很少提及在整個組織中定義和分配信息安全角色和職責的需要。

ISO/IEC 27001 要求管理層:

  • 考慮威脅、漏洞和影響,系統地評估組織的資訊安全風險;
  • 建立並實施一套全面的資訊安全控制和風險處理(例如風險規避、降低或轉移),以解決那些被認為不可接受的風險;和
  • 採用管理過程以確保資訊安全控制和殘餘風險持續滿足組織的資訊安全需求。
Show more
Show less

Demonstrable data and information security

Information security as part of the corporate culture

Effective implementation of a risk management process

Continuous improvement of your security level


What is ISO 27001?

ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

With EN ISO/IEC 27001:2017-06, a version coordinated by the European Committee for Standardization (CEN) has been published. It combines the two corrections (corrigenda) Cor 1:2014 and Cor 2:2015. The changes associated with the correction only include an improved description of the associated requirements, but no new, additional requirements. Certificates according to the ISO/IEC 27001:2013 version thus retain their validity.  The standard is currently under revision, the revised version is expected for the end of 2022.

ISO/IEC 27001 規定了在組織範圍內建立、實施、維護和持續改進信息安全管理系統的要求。它還包括根據組織需要對信息安全風險進行評估和處理的要求。

ISO 27000 系列標準可幫助組織保持信息資產的安全。使用這一系列標準將幫助您的組織管理資產的安全性,例如財務信息、知識產權、員工詳細信息或第三方委託給您的信息。 ISO 27001 是該系列中最廣泛應用的標準,為資訊安全管理系統 (ISMS) 提供了要求。

ISO/IEC 27001 是實施信息安全整體管理系統的領先國際標準。它側重於識別、評估和管理信息處理過程的風險。機密信息的安全性被強調為一項重要的戰略要素。

Show more
Show less

Who is a certification to ISO 27001 suitable for?

The ISMS standard ISO 27001 applies worldwide. It provides companies of all sizes and industries with a framework for planning, implementing, and monitoring their information security. The requirements set out in ISO/IEC 27001:2013 or ISO/IEC 27001:2022 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

In reality, some may think that ISO 27001 can be applied to IT sector only, but it’s a misunderstanding. No doubt, a company in IT sector may be vulnerable to data leakage at a scalable size. Therefore, quite some companies in intensive IT operation have been the pioneers to go for ISO 27001 certification.

As time goes by, more and more companies in other industries realizes that the information security is no less important to them, so they are also going for Information Security Management System (ISMS) certification against ISO 27001.

Information surrounds us everywhere and is part of every process. Sometimes it may be inconsequential, but all too often it is critical and confidential. In order to make this important distinction for your organization, it is necessary to classify information. This is because the protective measures of an Information Security Management System (ISMS) according to ISO/IEC 27001 are based on this classification.

An ISMS creates the framework for protecting operational data and its confidentiality. At the same time, the globally recognized standard ensures the availability of the IT systems involved in corporate processes. In this context, ISO 27001 certification sends a strong signal to the market: namely, independent external evaluation and confirmation of the effectiveness of your ISMS.

The second edition of ISO/IEC 27001 dates back to 2013. Now, the internationally recognized standard for ISMS has been updated and republished in its third edition as ISO/IEC 27001:2022 on October 25, 2022. The revision is an inevitable consequence after ISO/IEC 27002, as the implementing guidance governing Annex A of ISO 27001, was comprehensively revised and published in February 2022. 

The transition period for existing ISO 27001 certificates is three years from the last day of the publication month of the new ISO/IEC 27001:2022, which means that all certificates according to ISO/IEC 27001:2013 must have been converted to the 2022  version of ISO 27001 by October 31, 2025, You can read about the new features of the ISO 27001 update in our article "The new ISO/IEC 27001:2022 - key changes". 

How to use ISO 27001?

This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.

Certification to ISO 27001 ISMS

Certification to ISO/IEC 27001 is adopted by more and more organizations in order to benefit from the best practice it contains to reassure customers and clients that its recommendations have been followed.

The official title of the ISO 27001 standard is “Information technology — Security techniques — Information security management systems — Requirements”

ISO/IEC 27001 has ten clauses and an annex, including:

  1. Scope of the standard
  2. How the document is referenced
  3. Reuse of the terms and definitions in ISO/IEC 27000
  4. Organizational context and stakeholders
  5. Information security leadership and high-level support for policy
  6. Planning an information security management system; risk assessment; risk treatment
  7. Supporting an information security management system
  8. Making an information security management system operational
  9. Reviewing the system’s performance
  10. Corrective action
  • Annex A: List of controls and their objectives

誰適合 ISO 27001 認證?

ISO 27001 資訊安全管理系統標準適用於全球。它為各種規模和行業的公司提供了規劃、實施和監控其信息安全的框架。 ISO/IEC 27001:2013 或 ISO/IEC 27001:2022中規定的要求是通用的,旨在適用於所有組織,無論其類型、規模或性質如何。

實際上,有些人可能認為 ISO 27001 只能應用於 IT 部門,但這是一種誤解。毫無疑問,IT 行業的公司可能容易受到規模可擴展的數據洩露的影響。因此,不少 IT 密集型運營企業率先申請 ISO 27001 認證。

隨著時間的推移,越來越多的其他行業的公司意識到信息安全對他們來說同樣重要,因此他們也開始針對 ISO 27001 進行信息安全管理體系 (ISMS) 認證。

資訊無處不在,是每個過程的一部分。有時它可能無關緊要,但它往往是關鍵和機密的。為了為您的組織做出這一重要區分,有必要對信息進行分類。這是因為根據 ISO/IEC 27001 的資訊安全管理系統 (ISMS) 的保護措施基於此分類。

ISMS 創建了保護操作數據及其機密性的框架。同時,全球公認的標準確保了企業流程中涉及的 IT 系統的可用性。在這種情況下,ISO 27001 認證向市場發出了強烈的信號:即獨立的外部評估和確認您的 ISMS 的有效性。

如何使用 ISO 27001?




ISO 27001 ISMS 認證

越來越多的組織採用 ISO/IEC 27001 認證,以便從其中包含的最佳實踐中受益,從而使客戶和客戶確信其建議已得到遵循。

ISO 27001標準的正式名稱是“信息技術——安全技術——信息安全管理系統——要求”。

ISO/IEC 27001 有10個條款和1個附件,包括:

  1. 標準範圍
  2. 如何引用文檔
  3. 重複使用 ISO/IEC 27000 中的術語和定義
  4. 組織環境和利益相關者
  5. 信息安全領導力和對政策的高層支持
  6. 規劃信息安全管理系統;風險評估;風險處理
  7. 支持信息安全管理體系
  8. 使信息安全管理系統運行
  9. 審查系統的性能
  10. 糾正措施
    附件 A:控制清單及其目標
Show more
Show less

What makes the ISO 27001 standard useful for my company?

The introduction of an ISMS according to ISO/IEC 27001 is a strategic decision for your company. The fulfillment of the standard's deliberately general requirements must reflect the specific situation of the company. Implementation in your company depends on the needs and goals, the security requirements and the organizational processes, as well as the size and structure of the company.

Annex A of ISO 27001, which is to be used in connection with section 6.1.3 on the basis of company-specific risk analyses, is particularly valuable in practice. The information security controls listed in Annex A are directly derived from and aligned with the measures listed in the current ISO 27002, Sections 5 to 8. 

Previously, Annex A of ISO/IEC 27001:2013 included a total of 114 controls to address information security risks, subdivided into 14 sections and 35 control objectives. In the new ISO/IEC 27001:2022-10, Annex A now contains 93 controls on relevant security aspects, which are assigned to 4 topic areas.

The consistent alignment of company processes with ISO 27001 has been proven to lead to a number of benefits:

  • Continuous improvement of the security level
  • Reduction of existing risks
  • Adherence to compliance requirements
  • Greater awareness among employees
  • Increased customer satisfaction

Internal audits and management reviews with the participation of top management are the internal levers for achieving this.

Other positive aspects are that interested parties such as supervisory authorities, insurance companies, banks, partner companies build up a higher level of trust in your company. This is because a certified management system signals that your organization deals with risks in a structured manner and subscribes to continuous improvement (CIP), making it more resistant to unwanted influences.

The international standard ISO/IEC 27001 can also be implemented, operated and certified, either integrated with or independently of, other management systems such as ISO 9001 (quality management) .

什麼使 ISO 27001 標準對我的公司有用?

根據 ISO/IEC 27001 引入 資訊安全管理體系是貴公司的戰略決策。標準的一般要求的實現必須反映公司的具體情況。公司的實施取決於需求和目標、安全要求和組織流程,以及公司的規模和結構。

對實踐特別有價值的是標準附錄 A 中措施的實施。除了面向管理系統的要求部分(第 4 章至第 10 章)外,ISO 標準還包含 35 個措施目標(控制)的詳盡列表,其中包含 114 項具體措施,涉及附件 A 中的 14 個章節中的各種安全方面。措施必須在管理系統的框架內實施。這些措施必須作為管理系統的一部分實施,只要它們與您的公司相關。

事實證明,公司流程與 ISO 27001 保持一致可帶來許多好處:

  • 安全等級持續提升
  • 降低現有風險
  • 遵守合規要求
  • 提高員工的意識
  • 提高客戶滿意度



國際標準 ISO/IEC 27001 也可以結合或獨立於 ISO 9001(質量管理)等其他管理體係來實施、操作和認證。

Show more
Show less

Who is allowed to carry out certification according to ISO 27001?

In order to certify an information security management system, the respective certification body itself must be accredited to ISO/IEC 17021 and ISO/IEC 27006. ISO/IEC 17021 regulates topics related to conformity assessment, specifically requirements for inspection bodies that audit and certify management systems.

In addition, ISO/IEC 27006 defines strict requirements that certification bodies must comply with in order to certify an ISMS according to ISO 27001.

These include:

  • Evidence of specified audit effort
  • Requirements for the qualification of auditors.

DQS is accredited by the national accreditation bodies ANAB and DAkkS and therefore authorized to perform audits and certifications according to ISO 27001.

Regardless of the industry in which your company operates, you can rely on the distinctive expertise of DQS auditors. They have many years of experience in the assessment of information security management systems in various industries.

Relation with ISO 27701:2019 for Privacy Information Management

ISO 27701:2019 is an extension to ISO 27001 and ISO 27002 for privacy information management.

If personal data management is important to your business, you may consider to go for ISO 27701 PIMS certification together with ISO 27001 ISMS certification, to address the significant risks and challenges from a large number of privacy information related regulations, like GDPR of EU, CPRA of USA, PDPO of HK, and PIPL of Mainland China.

誰可以根據 ISO 27001 提供認證服務?

為了認證信息安全管理體系,相應的認證機構本身必須獲得 ISO/IEC 17021 和 ISO/IEC 27006 的認可。ISO/IEC 17021 規定了與合格評定相關的主題,特別是對審核和認證管理的檢查機構的要求系統。此外,ISO/IEC 27006 定義了認證機構必須遵守的嚴格要求,以便根據 ISO 27001 認證 ISMS。這些包括:

  • 特定審核工作的證據;
  • 對審核員資格的要求。

DQS 已獲得國家認可機構 ANAB 和 DAkkS 的認可,因此獲得授權根據 ISO 27001 進行審核和認證。

無論您的公司在哪個行業運營,您都可以依賴 DQS 審核員的獨特專業知識。他們在各個行業的信息安全管理系統評估方面擁有多年的經驗。

與 ISO 27701:2019 隱私資訊管理系統標準的關係

ISO 27701:2019 是 ISO 27001 和 ISO 27002 的擴展,用於隱私資訊的管理。

如果個人數據管理對您的業務很重要,您可以考慮同時申請 ISO 27701 PIMS 認證和 ISO 27001 ISMS 認證,以應對歐盟 GDPR、美國的CPRA、香港的PDPO、中國大陸的 個人信息保護法 等大量隱私資訊相關法規帶來的重大風險和挑戰。

Show more
Show less

ISO 27001 vs ISO 27002

  • ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of an organization.
  • ISO 27002 is an international standard used as a reference for selecting and implementing information security controls listed in Annex A of ISO 27001. It is used as a reference and guidance on the best practices of information security management helping organizations in implementing the requirements and controls of ISO 27001.
  • An organization can get a certification against ISO 27001, but not against ISO 27002.

ISO 27002 was updated on Feb 15, 2022. The number of information security controls decrease from 114 controls to 93 controls, covered in 4 sections instead of 14 sections in former version.

  • Organizational controls (clause 5)
  • People controls (clause 6)
  • Physical controls (clause 7)
  • Technological controls (clause 8)

Merged Controls

No controls in the previous version were excluded in ISO 27002:2022, but some of them are were merged.
For examples:

  • Controls 5.1.1 Policies for information security and 5.1.2 Review of the policies for information security
    were merged into 5.1 Policies for information security.
  • Controls 11.1.2 Physical entry controls and 11.1.6 Delivery and loading areas
    were merged into 7.2 Physical entry.

New controls 

The ISO 27002:2022 introduced 11 new controls:

  • 5.7 Threat intelligence
  • 5.23 Information security for use of cloud services
  • 5.30 ICT readiness for business continuity
  • 7.4 Physical security monitoring
  • 8.9 Configuration management
  • 8.10 Information deletion
  • 8.11 Data masking
  • 8.12 Data leakage prevention
  • 8.16 Monitoring activities
  • 8.23 Web filtering
  • 8.28 Secure coding

Two Annex are introduced to ISO 27002:2022:

  • Annex A – Using attributes
  • Annex B – Correspondence with ISO/IEC 27002:2013

Impact to ISO 27001 from ISO 27002:2022

An amendment to ISO 27001:2013 has been in progress. ISO 27001:2022 is expected to publish in 2022.

  • The changes to ISO 27002:2022 will be reflected in Annex A of ISO 27001.
  • The main part of ISO 27001 (i.e. Clauses 4 to 10) will remain no change.
  • Number of controls decrease from 114 to 93.
  • Controls are categorized into 4 sections instead of previous 14.
  • There are 11 new controls, while none of the controls was deleted, and some controls were merged.

ISO 27001 vs ISO 27002

  • ISO 27001 規定了在組織範圍內建立、實施、維護和持續改進資訊安全管理系統 (ISMS) 的要求。
  • ISO 27002 是一個用作選擇和實施 ISO 27001 附件 A 中列出的資訊安全控制措施的參考的國際標準。它被用作資訊安全管理最佳實踐的參考和指導,幫助組織實施信息安全管理的要求和控制措施。 ISO 27001。
  • 組織可以獲得 ISO 27001 認證,但不能獲得 ISO 27002 認證。

ISO 27002 於 2022 年 2 月 15 日更新。信息安全控制的數量從 114 個控制減少到 93 個控制,涵蓋 4 個部分,而不是之前版本的 14 個部分。

  • 組織控制(第 5 條)
  • 人員控制(第 6 條)
  • 物理控制(第 7 條)
  • 技術控制(第 8 條)


ISO 27002:2022 未排除先前版本中的任何控制,但其中一些已被合併。

  • 控制 5.1.1 信息安全政策 和 5.1.2 信息安全政策審查 併入 5.1 信息安全政策。
  • 控制 11.1.2 物理進入控制 和 11.1.6 交付和裝載區域 併入 7.2 物理進入。


ISO 27002:2022 引入了 11 項新控制:

  • 5.7 威脅情報
  • 5.23 使用雲服務的信息安全
  • 5.30 確保業務連續性的ICT準備
  • 7.4 物理安全監控
  • 8.9 配置管理
  • 8.10 信息刪除
  • 8.11 數據屏蔽
  • 8.12 數據洩露防護
  • 8.16 監測活動
  • 8.23 網頁過濾
  • 8.28 安全編碼

ISO 27002:2022 引入了兩個附件:

  • 附錄 A – 使用屬性
  • 附錄 B – 與 ISO/IEC 27002:2013 的對應關係

ISO 27002:2022 對 ISO 27001 的影響

ISO 27001:2013的修訂已經在進行,並將於2022年發布ISO 27001:2022。

  • ISO 27002:2022 的變更將反映在 ISO 27001 的附錄 A 中;
  • ISO 27001 的主要部分(即第 4 至 10 條)將基本保持不變;
  • 控制數量從 114 減少到 93;
  • 控件分為 4 個部分,而不是之前的 14 個;
  • 新增11個控件,沒有刪除任何控件,合併了一些控件。
Show more
Show less

Relations Between GDPR and ISO 27001 ISMS


  • Confidentiality, integrity and availability of data.
  • Risk assessments.
  • Breach notification.
  • Access control.
  • Data identification.


  • GDPR applies only to personal data, while ISO 27001 has a broader scope on the information.
  • GDPR covers the right to be forgotten, data portability and the right to be informed about your personal data, which is not mandatory requirement in ISO 27001.


A management system based on ISO 27001 can support the achievement of compliance with GDPR.

Possible Solutions by the Organizations

  • Arrange management and front-line employees to attend GDPR related training courses.
  • Implement an Information Security Management System (ISMS) based on ISO 27001:2013.
  • Implement controls on outsourced processes
  • Implement regular internal and external audits on operations.
  • Improve the ISMS based on risk levels.

Introduction to GDPR

The General Data Protection Regulation (GDPR), EU’s new regulation for data protection will become effective from 25 May 2018.  The GDPR applies to the handling of personal identification information of EU citizens. It not only applies to the organizations in EU, but also to the organizations, out of EU, processing and keeping above mentioned personal data.

The local organizations shall have a full and serious review on its practice in the handling of personal data in its business operation. Significant changes may be necessary to the operation related to personal data, from collection, storage, identification, analysis, usage, transferring, etc.

Depending on the impact and its due diligence, the offending organization to GDPR may be subject to a fine up to the higher amount of EUR 20,000,000 and 4% of its annual global revenue.

Key Terms in GDPR:

  • Personal data: “Any information that relates to an identified or identifiable living individual.”
  • Data controller: “The entity that determines the purposes, conditions and means of the processing of personal data.”
  • Data processor: “An entity which processes personal data on behalf of the controller.”

Key Requirements of GDPR

As compared to Directive 95/46/EC, the requirements are enhanced. The key points include, but are not limited to:

  • Territorial scope: Not limited to organizations within EU.
  • Purpose limitation: Collected for specified, explicit and legitimate purpose.
  • Data minimization: Adequate, relevant and limited to what is necessary in relation to the purpose.
  • Accuracy: Accurate and, where necessary, kept up to date.
  • Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary.
  • Integrity and confidentiality: Processes in a manner to ensure security.
  • Conditions for consent: Organizations must request permission using easy-to-understand terms. Assuming consent or requiring users to opt out is not allowed.
  • Right to access: Increased transparency by requiring controllers to provide data subjects with confirmation of data processing.
  • Right to be forgotten: Data subjects can request controllers to erase their personal data and stop distributing the data.
  • Automated processing: Data subject have right not to be subject to a decision solely on automated processing.
  • Data portability: Data subjects have right to receive their data upon request and to transfer that data to another controller.
  • Data protection officers:  Some organizations, such as those with a primary purpose for processing personal data or sensitive information, shall appoint Data Protection Officer(s) — an employee or a third party.
  • Data breach notification: Within 72 hours after a data breach, the controller shall notify supervisory authorities and data subjects affected, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Data processors shall also inform the controllers for a known data breach.
  • Parental consent: Processing the personal data of children under age of 16 for online services shall obtain parental consent. Member states can designate a lower required age (down to 13) for consent.
  • Special categories of data: Some types of data have more stringent requirements for consent, such as the data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
  • Third countries: Specific rules for transferring data to third countries or international organizations.
  • Due diligence: Establish technical and organizational measures to demonstrate compliance to GDPR.
  • Subcontractor Control: Data Controllers shall ensure Data Processors have ability to fulfil the requirements of GDPR.
  • Certification: Voluntary data protection certification to show compliance to this regulation.
Show more
Show less

How does ISO 27001 certification work?

Once all requirements of ISO 27001 have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS. If a certified management system is already established in the company, the process can be shortened.

In the first step, you discuss your company and the goals of ISO 27001 certification with us. On this basis, you will receive a detailed offer tailored to the individual needs of your company.

A project planning meeting can be useful for larger projects, for example, in order to better coordinate schedules and the performance of audits with multiple locations or divisions. The pre-audit offers you an opportunity to identify the strengths and potential for improvement of your management system in advance. Both services are optional.

The certification audit starts with the system analysis and evaluation of your ISMS (audit stage 1). Here, your auditor determines whether your management system is sufficiently developed and ready for certification. In the next step (system audit stage 2), your auditor assesses the effectiveness of all management processes on site, applying the ISO 27001 standard. The audit result is presented at a final meeting. If necessary, action plans are agreed upon.

After the certification audit, the results are evaluated by the independent certification board of DQS. If all standard requirements are met, you will receive the ISO 27001 certificate.

After successful certification, key components of your ISMS are re-audited on site at least once a year to ensure continuous improvement.

The ISO 27001 certificate is valid for a maximum of three years. Recertification is performed in good time before expiry to ensure ongoing compliance with the applicable standard requirements. Upon compliance, a new certificate is issued.

Please refer to below blog about the arrangement of transition to the new standard ISO/IEC 27001:2022:


What does ISO 27001 certification cost?

The four assessment criteria

Even though the ISO 27001 audit is to be performed according to structured specifications, the cost depends on various factors, such as the complexity of your organization. Therefore, there can be no one-size-fits-all offer for any given company.

The costs for certification according to ISO 27001 are established according to the following four criteria, among others:

1. The complexity of your information security management system.

The critical values (for example patents, personal data, facilities, processes) of your company are taken into account. The cost of certification is based primarily on the information security requirements and the extent to which confidentiality, integrity and availability (VIV) of information are affected.

2. The core business of your company within the scope of the ISMS

At this point, the risks associated with your business processes in particular play an important role in determining the necessary audit effort. Legal requirements are taken into account as well as complex, individual customer requirements.

3. The main technologies and components used in your ISMS

During the audit, the technology as well as the individual components of your ISMS are examined. These include IT platforms, servers, databases, applications as well as network segments. The basic rule here is: The higher the proportion of standard systems and the lower the complexity of your IT, the lower the effort. The costs of an ISO 27001 certification also depend on this.

4 The proportion of in-house developments in your ISMS

If there is no internal development and you mainly use standardized software platforms, the effort of an assessment is lower. If your ISMS is characterized by intensive use of self-developed software and if this software is used for central business areas, the effort for certification will be higher.

In order for us to be able to give you an overview of the costs for an ISMS certification, we need precise information about your business model and the area of application in advance. This way we can provide you with a tailor-made offer.

Show more
Show less

What you can expect from us

  • More than 35 years of experience in the certification of management systems and processes
  • Industry-experienced auditors and experts with strong technical knowledge
  • Value-adding insights into your company
  • Certificates with international acceptance
  • Expertise and accreditations for all relevant standards
  • Personal, smooth support from our specialists - regionally, nationally and internationally
  • Individual offers with flexible contract terms and no hidden costs

Request a quote

Your local contact

We would be happy to provide you with an individual quote for the ISO 27001 certification of your ISMS.

Training Courses

Internal Auditor Courses, Lead Auditor Courses, Standard Understanding Courses, GDPR related Courses, etc.

For training courses