Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

ISO 27001 Consulting

ISMS Consulting &
ISO 27001 Certification -
from hackers who know
what really matters

We guide you through building your ISMS - from gap analysis to successful ISO 27001 certification. Practical, fixed-price and with the unique perspective of an offensive security firm.

Free initial consultation +49 209 8830 6760
ISO 27001 certified ourselves BSI CyberRiskCheck authorised Fixed-price commitment Co-author: BSI Handbook Cyber Risk Management
GovernanceRisikoZugangBetriebIncidentBCMComplianceAwareness
Ist-Zustand
Nach Beratung

Beispielwerte · Ihre Analyse individuell

These organisations trust us

ISMS projects completed
20+
Certification success rate
100%
Months avg. to certificate
6-9
Controls per ISO 27001:2022
93

What is an ISMS under ISO 27001?

An Information Security Management System (ISMS) is a systematic framework of policies, processes and technical controls to protect your organisational information. The international standard ISO/IEC 27001:2022 defines the requirements for such a system and enables independent certification by accredited certification bodies.

The current ISO 27001:2022 version comprises 93 controls in four categories: organisational, people, physical and technological measures. Unlike the German BSI IT-Grundschutz with its ~800 requirements, ISO 27001 offers more flexibility in selecting measures - ideal for internationally operating companies and the mid-market.

ISMS certification to ISO 27001 is increasingly business-critical: it fulfils most NIS-2 requirements, is demanded by large clients in tenders and significantly reduces cyber insurance premiums. For automotive suppliers subject to TISAX, an ISMS forms the foundation of information security.

Why act now

Why organisations need an ISMS under ISO 27001

Regulatory and economic requirements for information security are rising rapidly. Those who do not act now risk more than just fines.

NIS-2 compliance obligation

The NIS-2 Directive obliges thousands of organisations to implement systematic risk management. Management bears personal liability. An ISO 27001 ISMS fulfils most requirements.

Supply chain requirements

Major clients and public sector buyers require ISO 27001 in tenders. Without the certificate you lose contracts to competitors who can provide the evidence.

Cyber insurance & liability

Insurers are scrutinising security measures ever more closely. A certified ISMS significantly reduces premiums - and protects management from personal liability.

Our difference

ISO 27001 consultants
who actually hack

Most ISMS consultants only know attacks from textbooks. Our ISO 27001 consultants conduct penetration tests and red team assessments themselves. This makes a decisive difference:

  • Risk assessment from an attacker's perspective

    We know which vulnerabilities attackers exploit first - and prioritise your ISMS accordingly.

  • Controls that work - not just exist on paper

    No paper exercise: every measure is defined so that it will withstand a real attack.

  • Pentest integration from day one

    We can validate the effectiveness of your ISMS directly with penetration tests - everything from one source.

  • Certified ourselves - we live what we advise

    AWARE7 is itself certified to ISO 27001 and ISO 9001. We know the challenges from first-hand experience.

AWARE7 Credentials

Offensive Security + ISMS

ISO 27001:2022 certified

AWARE7 itself - not just our clients

ISO 9001:2015 certified

Quality management - standardised processes

BSI CyberRiskCheck

Authorised assessment provider per DIN SPEC 27076

OSCP, OSWA, OSWP

Offensive security certifications of our consultants

T.I.S.P. Certificate

Personal certification for ISMS teams - recognised in 32 countries

ISMS consulting services: From gap analysis to certification

From the initial inventory through ISMS implementation to ongoing operations - everything from one source.

Gap Analysis & Maturity Assessment

Review against all 93 controls of ISO 27001:2022. Detailed maturity report with heatmap, recommendations and project plan.

Request

ISMS Implementation

Risk management, documentation, policies, SoA, technical and organisational measures. Training for staff and management.

Request

Certification Support

Internal audit as a dress rehearsal, preparation for the external certification audit. We are by your side until the certificate is on the wall.

Request

Operations & Continual Improvement

Surveillance audit preparation, management reviews, risk updates, re-certification. Your ISMS will be lived, not just documented.

Request

External CISO

Qualified information security officer as a service. Ideal for SMEs that do not need a full-time position for the role.

Details

Custom scope?

ISO 27001 + 9001, TISAX, or IT-Grundschutz - we adapt to your needs.

Where does your organisation stand today?

In a free 30-minute initial consultation we assess your current state, define the scope and give you a realistic estimate of effort and timeline.

Schedule free consultation

Kostenlos · 30 Minuten · Unverbindlich

Engagement models

ISO 27001 certification costs: Transparent and plannable

No open consultant days, no hidden costs. You know from the outset what ISO 27001 certification costs.

One-time

ISO 27001 Certification Project

From gap analysis through ISMS implementation to the certificate - everything included.

from EUR 20,000

Fixed price, depending on scope & maturity

  • Gap analysis & maturity report
  • Risk management & SoA
  • Policies & documentation
  • Internal audit & certification support
  • Dedicated point of contact
Request quote
Recommended

Monthly

ISMS Retainer

Certification + ongoing support - your ISMS in the best hands.

from EUR 2,500/mo

12-month minimum term

  • Everything from the certification project
  • Surveillance audit preparation
  • Quarterly management reviews
  • Ongoing risk updates
  • Re-certification support
  • Annual penetration test included
Request retainer

Monthly

External CISO

Your information security officer - without a full-time position.

from EUR 1,500/mo

Flexible cancellation, scalable

  • Operational ISMS management
  • Audit coordination
  • Training & awareness
  • Management reporting
  • Incident response coordination
View details

Individual pricing for your organisation

Scope, company size and existing maturity level determine the price. We provide a binding fixed-price quote within 48 hours.

Request quote

ISO 27001 vs. BSI IT-Grundschutz: Which standard fits?

Criterion ISO 27001 BSI IT-Grundschutz
Scope Internationally recognised Primarily DACH region & public sector
Requirements 93 controls (flexibly selectable) ~800 requirements (catalogue-based)
Effort (SME) 6-12 months 12-24 months
Cost from EUR 20,000 from EUR 40,000
Ideal for Internationally operating companies, mid-market Public administration, critical infrastructure operators
NIS-2 conformity Yes, accepted as evidence Yes, accepted as evidence

Our recommendation: For most organisations, ISO 27001 is the more efficient path. ISO 27001 certification based on IT-Grundschutz is also possible - we advise vendor-neutrally.

NIS-2 Compliance

ISO 27001 fulfils most NIS-2 requirements

The NIS-2 Directive requires a cybersecurity risk management system with concrete measures: incident handling, business continuity, supply chain security, encryption. An ISO 27001-compliant ISMS covers these requirements and is accepted as evidence.

Important: Management bears personal liability for NIS-2 violations. A certified ISMS is the best protection - for your organisation and for you personally.

NIS-2 requirements in detail

Your ISMS grows with you

Not a one-time project - security that improves itself

ISO 27001 is based on the proven PDCA principle: you plan measures, implement them, check their effectiveness - and improve continuously. The result: an ISMS that does not become obsolete, but grows with your organisation. We guide you through all four phases.

PlanDoCheckActPDCAZYKLUS
01
PlanAnalyse & Planung
  • Erstgespräch und Bedarfsanalyse
  • Bestandsaufnahme Ihrer IT-Landschaft
  • Risikobewertung und Priorisierung
  • Maßgeschneiderter Projektplan
Not a one-time project - an ISMS thrives on continual improvement

Building an ISMS: The path to ISO 27001 certification in 5 phases

How the ISMS implementation works - five clearly defined phases from initial assessment to certificate.

01

Gap Analysis & Scope Definition

Where does your organisation stand today? We capture the current state, review against all 93 controls, define the ISMS scope and identify the biggest gaps.

Duration: 1-2 weeks

02

Risk Assessment & Treatment

Systematic identification and assessment of your information security risks per ISO 27005. Risk treatment plan with economically sensible measures.

Duration: 2-4 weeks

03

Documentation & Policies

Creation of all required documents: information security policy, guidelines, procedures, Statement of Applicability (SoA). Practical, not bureaucratic.

Duration: 4-8 weeks

04

Implementation & Training

Deployment of technical and organisational measures. Training for staff and management. Integration into existing business processes.

Duration: 4-12 weeks

05

Internal Audit & Certification Support

Conducting the internal audit as a dress rehearsal. Supporting the external certification audit - we are by your side until the certificate is on the wall.

Duration: 2-4 weeks

Why AWARE7 for your ISMS

Was uns von anderen Anbietern unterscheidet

Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.

Forschung und Lehre als Fundament

Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.

Digitale Souveränität - keine Kompromisse

Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.

Festpreis in 24h - planbare Projektzeiträume

Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.

Ihr fester Ansprechpartner - jederzeit erreichbar

Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.

Für wen sind wir der richtige Partner?

Mittelstand mit 50–2.000 MA

Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.

IT-Verantwortliche & CISOs

Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.

Regulierte Branchen

KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.

Mitwirkung an Industriestandards

LLM

OWASP · 2023

OWASP Top 10 for Large Language Models

Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.

BSI

BSI · Allianz für Cyber-Sicherheit

Management von Cyber-Risiken

Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).

Referenzen aus der Praxis

Beratung Informationssicherheit

brainbits GmbH

Ausbau und Begleitung des ISMS zur ISO 27001 Zertifizierung

9

Monate bis zur Zertifizierungsreife

70

Mitarbeitende im Team

Pentesting & Schwachstellenscans

Institut für Verwaltungswissenschaften gGmbH

Externe Schwachstellenanalyse

Security is also social responsibility

AWARE7 is committed beyond day-to-day business: as the founder of a scholarship at Ruhr University Bochum we support the next generation of IT security professionals. We are a member of the Alliance for Cyber Security of the BSI and train our own specialists. Our R&D certificate confirms our innovative strength in cybersecurity research.

More about AWARE7

Frequently asked questions about ISMS consulting & ISO 27001 certification

An Information Security Management System (ISMS) is a systematic approach to protecting your organisational information. It encompasses policies, processes and technical controls to ensure confidentiality, integrity and availability. ISO 27001 defines the international standard for this - with 93 concrete controls in the current 2022 version.
Typically 6-12 months, depending on company size and existing maturity level. For SMEs with 50-200 employees and existing IT foundations, we plan for 6-9 months. Companies with already structured IT security can be certification-ready in 4-6 months. We plan the timeline together realistically.
Costs depend on scope and maturity level. For an SME with 50-200 employees, expect consulting costs of EUR 20,000-50,000 for the entire certification process. Additionally, there are certification fees from the external auditor (approx. EUR 5,000-15,000). We provide a transparent fixed-price offer - no open consultant days.
Yes, and this is particularly efficient. Both standards follow the same High Level Structure (Harmonized Structure, formerly Annex SL) and share many requirements: management commitment, risk management, documentation, internal audits, continual improvement. We build integrated management systems that fulfil both standards with approximately 20-30% additional effort instead of double the work.
Certification is increasingly becoming a business prerequisite: companies subject to NIS-2 must demonstrate a risk management system for cybersecurity, many clients require ISO 27001 in tenders, cyber insurance offers better terms, and automotive suppliers subject to TISAX need a comparable system. Even without a mandate, an ISMS is the most structured method to embed IT security sustainably within an organisation.
The ISO 27001 certificate is valid for 3 years with annual surveillance audits and re-certification in the third year. We can support you beyond that: preparing for surveillance audits, continual improvement (CI), management reviews, risk updates. Your ISMS must be lived - not just documented.
ISO 27001 is the international standard and offers more flexibility in selecting measures. BSI IT-Grundschutz is the German approach with an extensive requirements catalogue (approx. 800 requirements). For internationally operating companies we recommend ISO 27001, for companies with strong ties to German public administration we recommend IT-Grundschutz. ISO 27001 certification based on IT-Grundschutz is also possible.
Yes, a direct one. The NIS-2 Directive requires affected organisations to implement a cybersecurity risk management system with concrete measures (incident handling, BCM, supply chain security). An ISO 27001-compliant ISMS meets most NIS-2 requirements and is accepted as evidence. Management bears personal liability for non-compliance - an ISMS protects you too.
In the gap analysis we review your existing measures against all 93 controls of ISO 27001:2022. The result is a detailed maturity report with a heatmap across all domains, concrete recommendations, prioritisation by risk and effort, and a realistic project plan. The gap analysis typically takes 3-5 days on-site and remote.
Yes, completely. We do not recommend specific software products and have no partnerships with tool vendors. Our focus is on processes, organisational structures and your existing IT landscape. If tools are useful, we evaluate them together and recommend objectively. You avoid lock-in effects and unnecessary licence costs.
We are ISO 27001 certified ourselves - we live what we advise. Unique is our combination of offensive security (penetration testing, red teaming) and ISMS consulting: our consultants know firsthand which risks are genuinely relevant and how attackers think. The ISMS we build is therefore practical and resilient - not just a paper exercise.
Yes. We provide qualified information security officers (CISO) as an external service. This is particularly attractive for SMEs that do not need a full-time position for the role. Our external CISO handles all operational ISMS tasks: risk management, audit coordination, training, management reporting. Details at /en/services/security-consulting/external-ciso/.
ISO 27001:2022 defines requirements in two areas: Clauses 4-10 describe the management system requirements (context, leadership, planning, support, operation, performance evaluation, improvement). Annex A contains 93 controls in four categories: 37 organisational, 8 people, 14 physical and 34 technological measures. New in the 2022 version are 11 controls, including threat intelligence, cloud security and data masking. The Statement of Applicability (SoA) documents which controls are relevant to your scope.
The most important change: the controls in Annex A were restructured from 114 (in 14 categories) to 93 controls (in 4 categories). 11 new controls were introduced, including: Threat Intelligence (A.5.7), Information security for use of cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23) and secure coding (A.8.28). Existing certificates under ISO 27001:2013 had to be transitioned to the new version by October 2025.
The certification audit takes place in two stages: In Stage 1 (document review), the auditor reviews your ISMS documentation, the Statement of Applicability and the risk treatment plan. In Stage 2 (implementation review), it is verified on-site whether the documented processes are actually lived - through interviews, samples and walkthroughs. After successful review you receive the certificate, valid for 3 years. In years 2 and 3, annual surveillance audits follow, then re-certification.

Three steps to ISMS certification

No project marathon. Starting your ISO 27001 consulting with AWARE7 is this simple.

1

Initial consultation

30 minutes, free of charge. We assess your current state and define the scope.

2

Fixed-price quote in 48h

Binding, transparent, no hidden costs. Including a realistic timeline.

3

ISMS build begins

Your dedicated contact starts with the gap analysis. Regular status updates guaranteed.

Schedule consultation
ISO 27001:2022
ISO 9001:2015
BSI CyberRiskCheck
Lead Auditor ISO 27001
Vendor-neutral
100% Germany

Aus dem Blog

Weiterführende Artikel

Ready for the next step?

NIS-2 requires a cybersecurity risk management system. Management bears personal liability. An ISO 27001 ISMS protects your organisation - and you.

Schedule free consultation

Kostenlos · 30 Minuten · Unverbindlich