ISO 27001
International Standard for Information Security Management Systems (ISMS). ISO 27001 defines requirements for the establishment, operation, and improvement of an ISMS. ISO 27001 certification demonstrates proven information security—a prerequisite for many business relationships and NIS2 compliance.
ISO/IEC 27001 is the international standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO 27001 is the world’s best-known standard for systematic IT security management.
What ISO 27001 Is—and What It Isn’t
ISO 27001 is often misunderstood. It is a management standard that defines processes and organizational requirements—not a purely technical specification. ISO 27001 is also a certification standard that can be audited by accredited bodies, as well as a framework that takes a risk-based approach: not every measure is mandatory; rather, the context of the organization determines which controls are relevant. The standard is suitable for organizations of all sizes—from 5 to 500,000 employees.
ISO 27001, however, is not a checklist to be mechanically worked through, not a free security guarantee, and—except in certain industries—not a legal requirement.
The ISO 27001:2022 Structure
The current version (2022) follows the High Level Structure (HLS) and is divided into the following chapters:
Chapters 1–3: Scope, normative references, terms
Chapter 4 – Context of the Organization:
- Internal and external issues
- Interested parties and their requirements
- Scope of the ISMS
Chapter 5 – Leadership:
- Management commitment (top management bears responsibility)
- Information security policy
- Roles and responsibilities
Chapter 6 – Planning:
- Risk assessment and risk treatment
- Statement of Applicability
- Information security objectives
Chapter 7 – Support:
- Resources, competence, awareness
- Communication and documented information
Chapter 8 - Operation:
- Operational planning and control
- Periodic information security risk assessment
- Risk treatment planning
Chapter 9 - Performance evaluation:
- Monitoring, measurement, analysis
- Internal audit (at least annually)
- Management review (review by senior management)
Chapter 10 - Improvement:
- Nonconformities and corrective actions
- Continuous improvement
Appendix A: 93 Controls in 4 Subject Areas
Appendix A lists the possible security measures (controls) in four categories:
A.5 - Organizational Controls (37 Controls):
- Information security policy
- Security roles
- Vendor relationships
- Security incident reporting
A.6 - People Controls (8 controls):
- Pre-employment screening
- Security awareness
- Termination of employment
A.7 - Physical Controls (14 controls):
- Physical security areas
- Protection against physical threats
- Clear Desk / Clear Screen
A.8 - Technological Controls (34 controls):
- Endpoint security
- Cryptography
- Network management
- Vulnerability management
- Secure development
- Logging
- Capacity management
Important: Not all controls need to be implemented. The Statement of Applicability (SoA) documents which controls are applicable and why excluded controls were excluded.
Risk-Based Approach
ISO 27001 is risk-based—not “checkbox” compliance. The process follows a structured procedure:
Risk Assessment:
- Identify and classify information assets
- Identify threats and vulnerabilities
- Assess probability and impact
- Determine risk level (e.g., 5x5 matrix)
Risk Treatment – four possible options:
- Avoid risk (discontinue activity)
- Reduce risk (implement controls)
- Transfer risk (insurance, outsourcing)
- Accept risk (informed decision)
Statement of Applicability (SoA): For each of the 93 controls, it is documented whether it is applicable, whether it has already been implemented, and—if not applicable—why it was excluded.
Certification Process
Phase 1 - Preparation (3–18 months):
- Gap analysis: Actual vs. Target
- Develop an action plan
- Establish the ISMS: Policies, processes, controls
- Conduct a risk assessment
- Internal audit and management review
Phase 2 – Stage 1 Audit (2–3 days): Document review by an accredited certifier (TÜV, DQS, BSI, etc.). Verification that the ISMS documentation is complete and identification of gaps (major/minor non-conformities).
Phase 3 - Stage 2 Audit (2-5 days): Main audit with verification of actual implementation, interviews with employees, and review of evidence (logs, reports, records). Upon successful completion, the certificate is issued for three years.
Phase 4 - Surveillance Audits (annual): Annual audits verify ongoing compliance. A recertification audit follows after three years.
ISO 27001 vs. BSI IT-Grundschutz
| Criterion | ISO 27001 | BSI IT-Grundschutz |
|---|---|---|
| Origin | International | German |
| Approach | Risk-based, flexible | Predefined measures |
| Level of detail | Framework | Very detailed |
| Recognition | Global | DACH, public sector |
| Combination | ISO 27001 + BSI possible | BSI certificate includes ISO 27001 |
In Practice: Many German companies combine both—ISO 27001 for international certification, BSI IT-Grundschutz as a library of measures.
Who Needs ISO 27001?
De facto mandatory for:
- IT service providers for government agencies and large enterprises
- Healthcare sector (gematik, health insurance companies)
- Financial service providers (many BaFin requirements)
- Cloud providers serving businesses (SOC2 or ISO 27001)
Significant competitive advantage:
- B2B sales: “ISO 27001 certified” opens doors
- Tenders: often a minimum requirement
- Major clients: Supplier qualification frequently requires ISO 27001
NIS2 context: NIS2 requires an ISMS—ISO 27001 meets this requirement. The standard is accepted as “state of the art” for NIS2.
