Information security with a system

The topic of "information security" is becoming increasingly urgent for companies in the course of digital transformation. Without sufficient security precautions, there is a risk of data loss and data theft by hackers, business standstill due to attacks via the web or data misuse. One measure for a structured approach is an information security management system (ISMS) according to ISO 27001.

Demonstrable data and information security

Security as part of the corporate culture

Effective implementation of a risk management process

Continuous improvement of your security level

Beschreibung Standard/Regelwerk

What is ISO 27001?

ISO/IEC 27001 is the leading international standard for implementing a holistic management system for information security. It focuses on the identification, assessment and management of risks to information handling processes. The security of confidential information is emphasized as a significant strategic element.

Information surrounds us everywhere and is part of every process. Often it is inconsequential, but often it is critical and confidential. In order to make this important distinction for your organization, it is necessary to classify information. This is because the protective measures of an information security management system (ISMS) according to DIN EN ISO/IEC 27001 are based on this classification.

An ISMS creates the framework for protecting operational data and its confidentiality. At the same time, the globally recognized standard ensures the availability of the IT systems involved in corporate processes. In this context, ISO 27001 certification sends a strong signal to the market: namely, independent external evaluation and confirmation of the effectiveness of your ISMS.

With DIN EN ISO/IEC 27001:2017-06, a version coordinated by the European Committee for Standardization (CEN) has been published. It combines the two corrections (corrigenda) Cor 1:2014 and Cor 2:2015. The changes associated with the correction only include an improved description of the associated requirements, but no new, additional requirements. Certificates according to the ISO/IEC 27001:2013 version thus retain their validity.

Show more
Show less

For whom is ISO 27001 certification suitable?

The ISMS standard ISO 27001 applies worldwide. It provides companies of all sizes and industries with a framework for planning, implementing and monitoring their information security. The requirements are generally applicable and apply to private and public companies as well as non-profit organizations.

According to the German Federal Office for Information Security (BSI), companies that belong to a Critical Infrastructure Sector (KRITIS) and exceed a threshold must provide evidence of how they ensure their information security. KRITIS sectors include energy, water, health, finance and insurance, food, transport and traffic, information technology and telecommunications. Corresponding proof of implementation can be provided by security audits, tests or certifications. For this purpose, either recognized standards such as DIN ISO 27001 or, alternatively, industry-specific security standards (B3S) recognized by the BSI can be used as the basis for auditing.

Show more
Show less

Why is the ISO 27001 standard useful for my company?

The introduction of an ISMS according to ISO/IEC 27001 is a strategic decision for a company. The fulfillment of the deliberately general requirements of the standard must reflect the specific situation of the company. The implementation in the company depends on the needs and objectives, the security requirements, the organizational processes as well as the size and structure of the company.

Particularly valuable for practice is the implementation of the measures in Annex A of the standard. In addition to the management system-oriented requirements section (chapters 4 to 10), the ISO standard contains an extensive list of 35 measure targets (controls) with 114 concrete measures for a wide variety of safety aspects across 14 chapters in Annex A. The measures must be implemented within the framework of the management system. These measures must be implemented as part of the management system, insofar as they are relevant to your company.

The consistent alignment of company processes with DIN EN ISO 27001 has been proven to lead to a number of benefits:

  • Continuous improvement of the security level
  • Reduction of existing risks
  • Adherence to compliance requirements
  • Greater awareness among employees
  • Higher customer satisfaction

Internal audits and management reviews with the participation of top management are internal levers for achieving these successes.

Other positive aspects are that interested parties such as supervisory authorities, insurance companies, banks, partner companies build up greater trust in your company. This is because a certified management system signals that your organization deals with risks in a structured manner and follows continuous improvement (CIP), making it more resistant to unwanted influences.

The international standard ISO/IEC 27001 can also be implemented, operated and certified independently of other management systems such as ISO 9001 (quality management) or ISO 14001 (environmental management).

Show more
Show less

Who is allowed to carry out certification according to ISO 27001?

In order to certify an information security management system, the respective certification body itself must be accredited to ISO/IEC 17021 and ISO/IEC 27006. ISO/IEC 17021 regulates topics related to conformity assessment, specifically requirements for inspection bodies that audit and certify management systems.

In addition, ISO/IEC 27006 defines strict requirements that certification bodies must comply with in order to certify an ISMS according to ISO 27001.

These include:

  • The proof of specified efforts during audits.
  • The requirements for the qualification of auditors.

DQS is accredited by the Deutsche Akkreditierungsstelle GmbH (DAkkS) and therefore authorized to perform audits and certifications according to DIN ISO 27001.

Regardless of the industry in which your company operates, you can rely on the distinctive expertise of DQS auditors. They bring many years of experience in the assessment of information security management systems for different industries.

Show more
Show less

How does ISO 27001 certification work?

Once all requirements of DIN EN ISO 27001 have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS. If a certified management system is already established in the company, the process can be shortened.

In the first step, you discuss your company and the goals of ISO 27001 certification with us. On this basis, you will receive a detailed offer tailored to the individual needs of your company.

A project planning meeting can be useful for larger projects, for example, in order to better coordinate schedules and the performance of audits with locations or company divisions. The pre-audit offers you the opportunity to identify the strengths and potential for improvement of your management system in advance. Both services are optional.

The certification audit starts with the system analysis and evaluation of your ISMS (audit stage 1). Here, your auditor determines whether your management system is sufficiently developed and ready for certification. In the next step (system audit stage 2), your auditor assesses the effectiveness of all management processes on site, applying the ISO 27001 standard. The audit result is presented at a final meeting. If necessary, action plans are agreed upon.

After the certification audit, the results are evaluated by the independent certification body of DQS. If all standard requirements are met, you will receive the ISO 27001 certificate.

After successful certification, key components of your ISMS are re-audited on-site at least once a year to ensure continuous improvement.

The ISO 27001 certificate is valid for a maximum of three years. Recertification is performed in good time before expiry to ensure ongoing compliance with the applicable standard requirements. Upon compliance, a new certificate is issued.


What does ISO 27001 certification cost?

The 4 assessment criteria

Even though the ISO 27001 audit is to be performed according to structured specifications, the cost depends on various factors, such as the complexity of your organization. Therefore, there is no blanket offer for every company.

The costs for certification according to DIN ISO 27001 are measured according to the following four criteria, among others:

1. the complexity of your information security management system.

The critical values (e.g. patents, personal data, facilities, processes) of your company are taken into account. The cost of certification is based primarily on the information security requirements and the extent to which confidentiality, integrity and availability (VIV) of information are affected.

2. the core business of your company within the scope of the ISMS

At this point, the risks associated with your business processes in particular play an important role in determining the necessary audit effort. Legal requirements are taken into account as well as complex, individual customer requirements.

3. the main technologies and components used in your ISMS

During the audit, the technology as well as the individual components of your ISMS are examined. These include IT platforms, servers, databases, applications as well as network segments. The general rule here is: The higher the proportion of standard systems and the lower the complexity of your IT, the lower the effort. The costs of ISO 27001 certification also depend on this. 4.

4 The proportion of in-house developments in your ISMS

If there is no internal development and you mainly use standardized software platforms, the effort of an assessment is lower. If your ISMS is characterized by intensive use of self-developed software and if this software is used for central business areas, the effort for certification will be higher.

In order for us to be able to give you an overview of the costs for an ISMS certification, we need precise information about your business model and the area of application in advance. This way we can provide you with a tailor-made offer.

Show more
Show less

What you can expect from us

  • More than 35 years of experience in the certification of management systems and processes
  • Industry-experienced auditors and experts with strong domain knowledge
  • Value-added insights into your company
  • Certificates with international acceptance
  • Expertise and accreditations for all relevant standards
  • Personal, smooth support from our specialists - regionally, nationally and internationally
  • Individual offers with flexible contract terms and no hidden costs

Request for quotation

Itsaree Sopasilapa Tel. 062 629 7117

"We would be happy to provide you with a customized offer for the ISO 27001 certification of your ISMS."