Compliance & Standards
ISO 27001 vs. BSI IT-Grundschutz vs. TISAX: Der Unternehmensvergleich (2026)
Chris Wojzechowski12 Min.
Expert knowledge
ISO 27001: The Gold Standard
for Information Security
ISO/IEC 27001 is the most widely recognised international standard for Information Security Management Systems (ISMS). This page explains the structure, requirements, and path to certification - practical and without buzzwords.
Last updated: March 2026 Reviewed by certified experts
- Current revision
- 2.022
- Controls in Annex A
- 93
- Certification cycle
- 3 years
- Certificates worldwide
- 70,000+
Fundamentals
What is ISO 27001?
ISO/IEC 27001 is an international standard published jointly by the ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission). It specifies requirements for an Information Security Management System (ISMS) - the systematic framework through which organizations identify, assess, and manage information security risks.
Unlike prescriptive technical security standards, ISO 27001 is risk-based and technology-neutral: the standard does not dictate which security software to use, but rather how risks must be assessed and treated. This makes it applicable to organizations of any size and industry.
The current version ISO/IEC 27001:2022 (published October 2022) superseded the 2013 version. It has been updated to reflect the changed threat landscape: cloud security, threat intelligence, and secure development practices are now explicitly included in the controls.
Why certify to ISO 27001?
- Demonstrate security posture to customers, partners, and regulators
- Prerequisite for many public sector and government contracts
- Legal compliance support for GDPR and NIS2 requirements
- Structured foundation for risk management
- Reduction of cyber insurance premiums
- Competitive advantage in tenders and customer conversations
ISO 27001 and NIS2
The NIS2 Directive implicitly references ISO 27001-equivalent measures. Organizations with ISO 27001 certification can demonstrate compliance with many NIS2 requirements - a significant compliance advantage. An integrated approach addressing both frameworks simultaneously is the most efficient path.
Personal certification for ISMS practitioners
Alongside organizational ISO 27001 certification, information security managers and CISOs should consider a recognized personal qualification such as the ISO 27001 Lead Implementer or Lead Auditor certificates - demonstrating individual competence to clients and regulators.
Structure
Structure of ISO 27001:2022
The standard comprises the normative main body (Clauses 4-10) and the informative Annex A with 93 controls.
Clause 4
Context of the organization
Determining internal and external issues, interested parties, and the ISMS scope.
Clause 5
Leadership
Management commitment, information security policy, roles and responsibilities.
Clause 6
Planning
Risk assessment and treatment, Statement of Applicability (SoA), information security objectives.
Clause 7
Support
Resources, competence, awareness, communication, and documented information.
Clause 8
Operation
Operational implementation of planned measures including the risk treatment plan.
Clause 9
Performance evaluation
Internal audit, management review, monitoring and measuring ISMS effectiveness.
Clause 10
Improvement
Addressing nonconformities and corrective actions, continual improvement.
Annex A
93 Controls
4 categories: Organizational (37), People (8), Physical (14), Technological (34). Includes 11 new controls compared to 2013.
New in 2022
11 new controls
Including Threat Intelligence, ICT Readiness, Web Filtering, Data Masking, Secure Coding, and DLP.
In 5 steps
The path to certification
From initial assessment to certificate handover - a structured process with clear milestones.
01
Gap analysis
Systematic assessment of the current security level against ISO 27001:2022 requirements. Output: a prioritized action plan with effort estimates.
02
Build the ISMS
Define the ISMS scope, create the information security policy, conduct the risk assessment (Clause 6.1), and produce the Statement of Applicability (SoA) per ISO 27001:2022.
03
Implementation
Introduce the selected controls from Annex A, document processes and responsibilities, train employees, and integrate the ISMS into existing workflows.
04
Internal audit
Independent review of the ISMS implementation by certified lead auditors. Identification of remaining gaps and remediation actions before the certification audit.
05
Certification audit
Two-stage audit by an accredited certification body (Stage 1: document review, Stage 2: on-site audit). On success: issue of the ISO 27001 certificate.
Planning
Costs and timelines
Realistic estimates for different organization sizes. Figures are based on experience from more than 50 ISO 27001 certification projects.
Small organization
up to 50 employees
Project duration 3-6 months
Total budget EUR 25,000-45,000
Certification body fee EUR 6,000-10,000
- Manageable scope
- Typically 1-2 dedicated ISMS owners
- Consulting effort: 30-50 days
- Annual surveillance audit: EUR 3,000-5,000
Most common scenario
Mid-sized organization
50-500 employees
Project duration 6-12 months
Total budget EUR 60,000-150,000
Certification body fee EUR 10,000-20,000
- More complex IT landscape
- Multiple locations possible
- Consulting effort: 60-120 days
- Annual surveillance audit: EUR 5,000-10,000
Large organization
500+ employees
Project duration 12-24 months
Total budget EUR 200,000+
Certification body fee EUR 20,000+
- Group-wide or divisional certification
- Multiple countries / locations
- Dedicated ISMS team required
- Multi-stage audit planning
All figures are indicative benchmarks based on project experience. Individual quotes depend on scope, current security maturity, and industry.
Source: AWARE7 project data 2021-2025, ISO Survey 2023 (ISO Central Secretariat).
Comparison
ISO 27001 vs. Other Frameworks
Both frameworks share the same goal - systematic management of information security risks - but differ significantly in approach and target audience.
| Criterion | ISO 27001:2022 | SOC 2 / NIST CSF |
|---|---|---|
| Publisher | ISO / IEC (international) | AICPA / NIST (US-centric) |
| Approach | Risk-based, principle-oriented | Control-based / framework-oriented |
| Level of detail | High at process level, flexible on technology | Variable; NIST CSF very flexible |
| Target audience | International, all sectors and sizes | Primarily US market and technology companies |
| Certification | Yes, by accredited bodies worldwide | SOC 2: attestation; NIST CSF: self-assessment |
| International recognition | Very high (recognized globally) | High in US and tech sector; limited elsewhere |
| Combination possible | Yes - ISO 27001 provides the ISMS backbone | Yes - can map to ISO 27001 controls |
| Effort | Moderate initial effort | Variable; SOC 2 audits recur annually |
Recommendation: For internationally operating organizations, ISO 27001 is generally the preferred choice - internationally recognized, flexible, and certifiable. Organizations primarily serving the US market may need SOC 2 attestation in addition. In both cases AWARE7 can guide you through the process.
Our services
How AWARE7 supports ISO 27001 certification
AWARE7 accompanies organizations through the complete ISO 27001 process - from the initial gap analysis to certificate handover and beyond. Our ISO 27001 Lead Auditors and Lead Implementers have successfully completed more than 50 certification projects.
We do not offer off-the-shelf solutions: every project starts with an honest assessment, producing a realistic roadmap - including a fixed-price quote within 24 hours.
Gap analysis & readiness assessment
Systematic evaluation of current security level against ISO 27001:2022 requirements with a prioritized action plan.
ISMS build-out and documentation
Creation of all required policies, processes, and documents - structured, comprehensible, and audit-ready.
Risk assessment and Statement of Applicability
Full risk assessment per ISO 27005 and creation of the SoA as the centrepiece of the ISMS.
Internal audit and pre-audit
Independent review by our certified Lead Auditors - a dress rehearsal for the certification audit.
External Information Security Manager
Ongoing ISM on demand - for organizations that do not wish to build a dedicated ISMS team.
„A well-implemented ISMS based on ISO 27001 is not just a certificate on the wall - it is the foundation on which every subsequent security measure is built. Organizations that understand this are structurally superior to their competition.“
Oskar Braun
ISO 27001 Lead Auditor (IRCA certified) · AWARE7 GmbH
Frequently asked questions
FAQ: ISO 27001 Certification
What is ISO 27001 and why does it matter?
ISO/IEC 27001 is the internationally recognized standard for Information Security Management Systems (ISMS). The standard defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. It is the only globally accreditable standard in this space and therefore the key instrument for demonstrating security posture to customers, partners, and regulators.
What changed with ISO 27001:2022 compared to the 2013 version?
The 2022 revision brought a significantly modernized structure: Annex A was reduced from 114 to 93 controls, while 11 new controls were added - including Threat Intelligence, ICT Readiness for Business Continuity, Web Filtering, and Data Masking. The new categorization organizes controls into four thematic groups (Organizational, People, Physical, Technological) instead of the former 14 domains. Existing certificates issued under the 2013 version had to be migrated by October 2025.
Which organizations are required or should consider certification?
A legal obligation exists for certain categories: critical infrastructure operators, specific financial and healthcare sector providers, and increasingly for government suppliers. Beyond legal requirements, many large enterprises and international clients require ISO 27001 certification from their suppliers as a procurement condition. For mid-sized organizations, certification is a strong competitive differentiator when bidding for contracts.
How long does an ISO 27001 certification project take?
Duration depends heavily on organization size, existing security maturity, and available resources. Small organizations (up to 50 employees) can typically build an ISMS within 3-6 months. Mid-sized organizations (50-500 employees) typically need 6-12 months. Large enterprises should plan 12-24 months. AWARE7 accelerates this process through structured gap analyses, proven documentation templates, and experienced lead auditors.
What does ISO 27001 certification cost?
Total costs comprise internal effort, consulting fees, and certification body fees. For a 50-person SME with external consulting, a realistic total budget is EUR 25,000-60,000. Of this, approximately EUR 8,000-15,000 covers the certification body, with the remainder for consulting and internal resources. Annual surveillance audits cost EUR 3,000-8,000; the three-year recertification audit is comparable to the initial audit.
How does ISO 27001 relate to NIS2?
An ISO 27001 certification covers many NIS2 requirements structurally - particularly risk analysis, security policies, measure management, and internal audits (Annex A controls). However, it is not a complete NIS2 proof: NIS2-specific elements include incident reporting obligations, personal management liability, supply chain duties, and sector-specific requirements. Organizations with ISO 27001 certification start significantly better positioned and have a substantial compliance head start for NIS2.
How frequently must surveillance audits be conducted?
The ISO 27001 certificate is valid for three years. During this period at least two surveillance audits by the certification body are required, typically annual. After three years, a full recertification audit is required. Additionally, the organization must conduct at least one internal audit per year and an annual management review.
How does AWARE7 support the ISMS build-out?
AWARE7 accompanies you throughout the entire process: from the initial gap analysis through risk assessment and creation of the Statement of Applicability to preparation for the certification audit. Our Lead Auditors (ISO 27001 LA, ISO 27001 LI) have successfully guided more than 50 certification projects. We also offer the role of external Information Security Manager (ISM) to provide ongoing ISMS stewardship.
Start your ISO 27001 gap analysis
In a free initial consultation we assess your current position and create a realistic certification roadmap - including a fixed-price quote.
Kostenlos · 30 Minuten · Unverbindlich
