ISO 27001 certification (correctly: ISO/IEC 27001 standard) defines criteria for an effective information security management system (ISMS) that ensures the confidentiality, integrity, and availability of data. TÜV NORD offers customized certification audits to ensure trust, maximum information security, and continuous improvement.
Request Offer
An effective Information Security Management System (ISMS) helps your organization manage risks in IT and OT applications by ensuring the confidentiality, integrity, and availability (CIA) of your data and processes. The globally recognized ISO/IEC 27001 standard defines the criteria for establishing, implementing, operating, evaluating, and continuously improving a state-of-the-art ISMS. Additional guidance for developing and selecting specific technical security measures can be found in the ISO/IEC 27002 standard.
For companies in the automotive industry, TÜV NORD also offers TISAX audits, which are based on ISO 27001 but take into account specific industry requirements.
ISO 27001 certification provides objective and credible evidence of the effectiveness of your ISMS, thereby building trust with your customers and other stakeholders. Experienced auditors develop customized audit programs and regularly review the requirements in the most practical way possible. You receive detailed feedback on the compliance, maturity, and potential of your ISMS, as well as a clear identification of any non-conformities. This allows you to continuously improve your ISMS!
The certification is aimed at organizations and companies across all industries where IT security plays a role—from manufacturing and retail to service providers and utilities. ISO 27001 also provides an internationally compatible foundation for government agencies seeking to achieve IT-Grundschutz compliance.
In addition, TÜV NORD offers both internal and external IT service providers certification according to ISO 20000-1 for effective IT service management.
In March 2024, ISO 27006 was revised to ISO/IEC 27006-1:2024. This standard defines the rules for audits and certifications of management systems based on ISO 27001.
After the end of the transition period, any certification according to ISO 27001 must be based exclusively on the new revision ISO/IEC 27006-1:2024 . Neither the validity nor the expiry date of existing certificates are affected by the revisions in ISO/IEC 27006-1:2024. The International Accreditation Forum (IAF) has set a two-year transition period and some transitional arrangements.
In this document, we provide you with everything you need to know about the ISO 27006 revision.
In a joint declaration in February 2024, the International Accreditation Forum (IAF) and the International Organisation for Standardisation (ISO) explained the additions to various management system standards. The statement emphasises the importance of taking climate change into account in the various management systems.
Sections 4.1 and 4.2 of the respective standard are affected. The additions are intended to ensure that climate change issues are considered by the organisations in addition to all other aspects in connection with the effectiveness of the management systems.
ISO 27001 is a globally recognised ‘blueprint’ for information security in organisations. Rather than simply installing individual IT programmes, it introduces a system (ISMS) that comprehensively regulates the handling of sensitive data – from technology and organisational structures right through to staff behaviour.
The aim is to protect three core values:
In short: the certification proves in black and white that a company is aware of its risks and is doing everything possible to effectively prevent data breaches and cyberattacks.
No, ISO 27001 is not generally a legal requirement in Germany. However, it may be indirectly necessary or advisable if:
The standard currently applicable to organisations is ISO/IEC 27001:2022. It replaced the previous version from 2013 and contains updated security controls. DIN EN ISO/IEC 27006-1:2024, on the other hand, was published in August 2024 and is the latest version of the guidelines for certification bodies, designed to ensure a consistently high quality of audits.
Taking into account legal, regulatory and contractual requirements, ISO 27001 sets out the requirements for the design, implementation, operation, monitoring and documentation of your ISMS.
In doing so, existing risks to your organisation are identified, analysed and addressed through appropriate measures. This applies not only to cyber-attacks but also to other disruptions that lead to unplanned interruptions in processes or even bring business operations to a standstill.
The Plan-Do-Check-Act model, on which ISO 27001 is based, ensures continuous improvement throughout this process.
Thanks to its high-level structure, the information security standard can also be fully integrated into an existing management system compliant with ISO 9001 or ISO 14001.
If you wish to obtain ISO 27001 certification, you must have implemented a risk management system within your organisation, including the identification, analysis, assessment and treatment of risks, as well as a review of its applicability.
ISO 27001 is not limited to IT processes alone, but also takes into account aspects of infrastructure such as organisation, personnel and buildings. After all, data security is becoming an increasingly important competitive factor.
This applies in particular to operators of critical infrastructure (KRITIS), who are required by the BSI Act to ensure a minimum level of IT security.
A voluntary pre-audit (sometimes also referred to as a gap audit) can be used to check your readiness for certification. An auditor randomly checks your management system and provides information on its suitability for certification. A certificate is not issued. The pre-audit does not replace an internal audit.
A two-stage procedure for ISO 27001 certification consists of two audits:
The cost of ISO 27001 certification depends largely on the size of your organisation and the complexity of your IT infrastructure. It is important to distinguish between the audit fees charged by the certification body and the overall costs of implementation (consultancy, staff, tools). We would be happy to provide you with a detailed quote tailored to your specific needs.
