Information security with a system

The topic of "Information Security" is becoming increasingly urgent for companies in the age of digital transformation. Organizations without the necessary security precautions risk things like of data loss and data theft by hackers, business breakdowns due to attacks via the web, or misuse of data. A solution to this threat is to implement a structured Information Security Management System (ISMS) according to ISO 27001 with DQS Inc. to mitigate these risks.

Demonstrable data and information security

Information Security as part of the corporate culture

Effective implementation of a risk management process

Continuous improvement of your security level


What is ISO 27001?

ISO/IEC 27001 is the leading international standard for implementing a holistic management system for information security. It focuses on the identification, assessment, and management of risks to information handling processes. The security of confidential information is emphasized as a significant strategic element.

Information is an inescapable part of everyday life and business. Sometimes it may be inconsequential, but all too often it is critical and confidential. To make this important distinction for your organization, it is necessary to classify information. This is because the protective measures of an Information Security Management System (ISMS) according to ISO/IEC 27001 are based on this classification.

An ISMS creates the framework for protecting operational data and its confidentiality. At the same time, the globally recognized standard ensures the availability of the IT systems involved in corporate processes. Earning your ISO 27001 certification demonstrates to the U.S. market that you have an effective ISMS.

The second edition of ISO/IEC 27001 was released in 2013. The most recent ISMS edition was published in October of 2022. The most recent edition came into effect due to ISO/IEC 27002, as the implementing guidance governing Annex A of ISO 27001, was comprehensively revised and published in February 2022. 
The transition period for existing ISO 27001 certificates is three years from the last day of the publication month of the new ISO/IEC 27001:2022. This means that all certificates according to ISO/IEC 27001:2013 must be converted to the 2022 version of ISO 27001 by October 31, 2025. You can read about the new features of the ISO 27001 update in our article "The new ISO/IEC 27001:2022 - key changes". 

Show more
Show less

Is the ISO 27001 certification suitable for my company?

The ISMS standard ISO 27001 applies in the U.S. and Canada as well as internationally. It provides companies of all sizes and industries with a framework for planning, implementing, and monitoring their information security. The requirements are applicable to private, public, and non-profit organizations.


How is the ISO 27001 standard beneficial for my company?

The introduction of an ISMS according to ISO/IEC 27001 is a strategic decision for your company. The fulfillment of the standard's deliberately basic requirements must reflect the specific situation of the company. Implementation in your company depends on the needs and goals, the security requirements, the organizational processes, and the size and structure of the company.

Annex A of ISO 27001, which is to be used in connection with section 6.1.3 based on company-specific risk analyses, is particularly valuable in practice. The information security controls listed in Annex A are drawn from and aligned with the measures listed in the current ISO 27002, Sections 5 to 8.

Previously, Annex A of ISO/IEC 27001:2013 included a total of 114 controls to address information security risks, split into 14 sections and 35 control objectives. In the new ISO/IEC 27001:2022-10, Annex A now contains 93 controls on relevant security aspects, which are assigned to 4 topic areas.

The consistent alignment of company processes with ISO 27001 has been proven to lead to several benefits:

  • Continuous improvement of the security level
  • Reduction of existing risks
  • Adherence to compliance requirements
  • Greater awareness among employees
  • Increased customer satisfaction

Internal audits and management reviews with the participation of top management are the internal levers for achieving this.

Another benefit is that interested parties such as supervisory authorities, insurance companies, banks, or partner companies build up a higher level of trust in your company. This is because a certified management system signals that your organization deals with risks in a structured manner and subscribes to continuous improvement (CIP), making it more resistant to unwanted influences.

The international standard ISO/IEC 27001 can also be implemented, operated and certified independently of other management systems such as ISO 9001 (quality management) or ISO 14001 (environmental management).


Show more
Show less

Who is authorized to administer an ISO 27001 certification in the U.S.?

In order to certify an information security management system in North America, the respective certification body itself must be accredited to ISO/IEC 17021 and ISO/IEC 27006. ISO/IEC 17021 regulates topics associated with conformity assessment, specifically requirements for inspection bodies that audit and certify management systems.

In addition, ISO/IEC 27006 defines strict requirements that certification bodies must comply with to certify an ISMS according to ISO 27001.

These include:

  • Evidence of specified audit effort
  • Requirements for the qualification of auditors.

DQS is accredited by ANAB and therefore authorized to perform audits and certifications according to ISO 27001 in North America and internationally.

Regardless of the industry in which your company operates, you can rely on the distinctive expertise of DQS auditors. They have many years of experience in the assessment of information security management systems in various industries.

Show more
Show less

How does my company get ISO 27001 certified?

Once all requirements of ISO 27001 have been implemented, you will go through a multi-stage certification process with DQS Inc. to receive your certificate. If a certified management system is already established in the company, the process can be shortened with a transfer audit.

In the first step, we will discuss your company and the goals of ISO 27001 certification together. Following this conversation, you will receive a detailed quote customized to the individual needs of your company.

A project planning meeting can be useful for larger projects in order to better coordinate schedules and the performance of audits with multiple locations or divisions. The optional gap assessment offers you an opportunity to identify the strengths and potential for improvement of your management system in advance. 

The certification audit starts with a stage 1 audit, which is the system analysis and evaluation of your ISMS. Your auditor will evaluate whether your management system is sufficiently developed and ready for certification. In the stage 2 system audit, your auditor assesses the effectiveness of all management processes on site according to ISO 27001 standard. The audit result is presented at a final meeting and if necessary, action plans are agreed upon.

After the certification audit, the results are evaluated by the independent certification board of DQS. If all standard requirements are met, you will receive the ISO 27001 certificate.

Once you have been successfully certified, you will be re-audited at least once a year to ensure you are maintaining your ISMS and working towards continuous improvement.

The ISO 27001 certificate is valid for a maximum of three years. DQS Inc. will start the recertification process before expiration to ensure ongoing compliance with the applicable standard requirements. Upon compliance, a new certificate is issued.


What will an ISO 27001 certification cost for my organization?

There is not a one-size-fits-all price that we can give your company. The cost of getting an ISO 27001 certification depends on a variety of factors such as the size and complexity of your organization. We strive to meet the specific needs of your company and are happy to provide a personalized quote for your business.

The costs for certification according to ISO 27001 are established according to the following four criteria, among others:

1. The complexity of your information security management system.

Critical values such as patents, personal data, facilities, and processes associated with your company will be considered. The cost of certification is based primarily on the information security requirements and the extent to which confidentiality, integrity, and availability (VIV) of information are affected.

2. The core business of your company within the scope of the ISMS

At this point, the risks associated with your business processes in particular play an important role in determining the necessary audit effort. Legal requirements are considered as well as complex, individual customer requirements.

3. The main technologies and components used in your ISMS

During the audit, the technology and the individual components of your ISMS are examined. These include IT platforms, servers, databases, applications as well as network segments. The basic rule here is: The higher the proportion of standard systems and the lower the complexity of your IT, the lower the effort. The costs of an ISO 27001 certification also depends on this.

4 The proportion of in-house developments in your ISMS

If there is no internal development and you mainly use standardized software platforms, the effort of an assessment is lower. If your ISMS is characterized by intensive use of self-developed software and if this software is used for central business areas, the effort for certification will be higher.

For us to be able to give you an overview of the costs for an ISMS certification, we need precise information about your business model and the area of application in advance. This way we can provide you with a tailor-made quote.

Show more
Show less

Why choose DQS?

  • Over 35 years of experience in the certification of management systems and processes
  • Industry-experienced auditors and experts with strong technical knowledge
  • Value-adding insights into your company
  • Certificates with international acceptance
  • Expertise and accreditations for all relevant standards
  • Personal, seamless support from our specialists located in the United States with international support as well
  • Customized offers with flexible contract terms and no hidden costs
  • ANAB accredited

Request for quote

Your local contact

"We would be happy to provide you with a customized quote for the ISO 27001 certification of your ISMS."

Updates in the New Edition

To learn more about the updates in the new editions ISO 27001:2022 and ISO 27002:2022, take a look at our webinar slides in the link below. To go with it, we also have a matrix of controls document to reference. 

Download now