ISO 27001 - Informationssicherheitsmanagementsystem
ISO 27001 is the international standard for information security management systems (ISMS). It defines requirements for the establishment, operation, and continuous improvement of information security.
Table of Contents (6 sections)
ISO/IEC 27001 is the world’s leading standard for information security management systems (ISMS). It defines how organizations should systematically identify, assess, and address information security risks—regardless of industry or company size. ISO 27001 certification is internationally recognized proof of a mature security organization.
History and Development
ISO 27001 traces its origins to the British standard BS 7799, which was published in 1995. After several revisions, it was internationalized in 2005 as ISO/IEC 27001:2005. The current version, ISO/IEC 27001:2022, was published in October 2022 and introduced significant changes in Annex A—particularly through the introduction of new controls in the areas of threat intelligence, cloud security, and ICT readiness for business continuity.
Existing certificates had to be migrated to the 2022 version by October 2025.
Structure of the Standard
ISO 27001 follows the so-called High Level Structure (HLS), which also forms the basis for other management system standards (ISO 9001, ISO 14001). This enables easy integration with other management systems.
Normative Requirements (Clauses 4–10)
Clause 4 – Context of the Organization The organization must determine internal and external factors that influence its ability to operate the ISMS. This includes stakeholder analysis and defining the scope of the ISMS.
Clause 5 - Leadership Top management must take responsibility, establish an information security policy, and assign roles and responsibilities. Without genuine management commitment, any ISMS will fail.
Clause 6 - Planning Risk assessment and risk treatment are at the heart of the standard. The organization must define a reproducible process to identify, analyze, and evaluate risks—and, based on this, prepare a Statement of Applicability (SoA).
Clause 7 - Support Resources, competence, awareness, communication, and documented information.
Clause 8 - Operation Implementation of risk treatment plans and control of operational processes.
Clause 9 - Performance Evaluation Internal audits, management review, and monitoring measures.
Clause 10 - Improvement Nonconformities, corrective actions, and continuous improvement (PDCA cycle).
Annex A - Controls
Annex A contains 93 controls in four categories (ISO 27001:2022):
| Category | Number of Controls | Examples |
|---|---|---|
| Organizational | 37 | Information security policy, asset management, supplier security |
| Personnel | 8 | Screening, confidentiality agreements, security training |
| Physical | 14 | Secure area, physical access control, clean desk policy |
| Technological | 34 | Access control, cryptography, vulnerability management, SIEM |
New additions to ISO 27001:2022 include:
- 5.7 Threat Intelligence
- 5.23 Information Security in the Use of Cloud Services
- 5.30 ICT Readiness for Business Continuity
- 8.9 Configuration Management
- 8.16 Monitoring Activities
Certification Process
Phase 1: Establishment of the ISMS (6–18 months)
- Gap Analysis: Assessment of existing security measures, comparison with ISO 27001 requirements
- Scope Definition: Which assets, processes, and locations will be certified?
- Risk Analysis: Identification of all information assets, threats, and vulnerabilities
- Risk Treatment: Selection of appropriate controls from Annex A, creation of the SoA
- Implementation: Introduction of technical and organizational measures
- Internal Audits: Preparation for external audit
Phase 2: Certification Audit (by an accredited body)
Stage 1 Audit (Document Review) The auditor verifies whether the ISMS documentation is complete and compliant with the standard. Typical review points: risk assessment, SoA, internal audit results, management review minutes.
Stage 2 Audit (On-site Audit) Verification of actual implementation within the organization. Employee interviews, system demonstrations, and spot checks. If nonconformities (minor/major) are identified, the organization must demonstrate corrective actions.
Annual surveillance audits and recertification
The certificate is valid for three years. Shorter surveillance audits take place in years 1 and 2; after three years, a full recertification is required.
ISO 27001 and BSI IT-Grundschutz
In Germany, the BSI offers ISO 27001-accredited certification based on IT-Grundschutz. The IT-Grundschutz catalogs contain significantly more detailed implementation guidelines (building blocks) than the generic controls in ISO Annex A—ideal for German government agencies and companies that require very specific instructions for action.
Why ISO 27001?
Market Position: In many industries (finance, healthcare, critical infrastructure), ISO 27001 is a minimum requirement for suppliers and partners.
NIS2 Compliance: The EU NIS2 Directive requires affected companies to have a functioning risk management system. ISO 27001 certification is considered strong evidence of compliance with the standard—even if it does not fully cover NIS2 obligations.
Insurance: Cyber insurers reward ISO 27001 certifications with lower premiums.
Customer expectations: Enterprise customers, particularly those in the public sector and the defense industry, require ISO 27001 as a prerequisite for signing contracts.
Costs of ISO 27001 Certification
| Item | Small Business | Medium-Sized Business |
|---|---|---|
| Consulting/Implementation | €20,000–€40,000 | €60,000–€120,000 |
| Certification audit | €5,000–€10,000 | €10,000–€20,000 |
| Annual surveillance audit | €3,000–€6,000 | €6,000–€12,000 |
| Tools (ISMS software, SIEM) | €5,000–€20,000/year | €20,000–€60,000/year |
Further information: AWARE7 ISO 27001 Consulting
Sources & References
- [1] ISO/IEC 27001:2022 - Information security management systems - International Organization for Standardization
- [2] BSI-Grundschutz und ISO 27001 - Bundesamt für Sicherheit in der Informationstechnik
- [3] ISO 27001:2022 - What's new? - ISO
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
