ISO/IEC 27001 Certification
What is ISO/IEC 27001?
The international standard ISO/IEC 27001 specifies the requirements necessary to establish, implement, maintain and continuously improve an information security management system (ISMS) in an organization. Security risks must be identified, assessed and, depending on the organization's circumstances, dealt with using appropriate security mechanisms to protect all the assets of the organization itself and within the value chain.
For whom is ISO/IEC 27001 relevant?
ISO/IEC 27001 can be applied regardless of the industry and the size of a company. Organizations operating in the information technology sector in particular know how important a functioning ISMS is, and so this is where most users have been found to date. However, this should not obscure the fact that all companies, in any industry, that are IT-based have similar security risks - and they must address these to retain the trust of their customers and secure their existence.
Is an ISO/IEC 27001 ISMS a business standard?
ISO/IEC 27001 certification has been around the world since 2005. According to the ISO report, there were 36,362 valid certificates in 2019, including 1,175 in Germany alone.
What are the advantages of a certified ISMS according to ISO/IEC 27001?
The introduction of an information security management system in your company shows your business partners and customers that you have a well thought-out process management that involves your employees and protects the company's most important assets: its information.
Applied on a long-term basis, a certified ISMS leads to efficiency increases and cost reductions through regular improvements. And, of course, especially important is protection against potential costs resulting from data theft, information leaks, or IT system infection and blockage that can determine the organization's "to be or not to be."
With a well thought-out management system, you minimize your own risk - and it is not unusual for the ISO/IEC 27001 certificate to decide who wins the bid.
If you want to be among the best in your industry, by all means.
By doing so, you are clearly demonstrating to all market players that you are doing everything in your power to prevent damage to yourself and your business partners and customers.
After all, the undeniable advantages of advancing digitization not only increase your own efficiency and the fun of online shopping: they also mean a playground for bad guys who use cyberattacks to try to steal your hard-earned money away from you, disclose your customers' data, or discredit you.
Therefore, seek advice in advance, if necessary, to correctly address all factors for implementing an ISMS and to initiate a successful certification.
What are the requirements for ISO/IEC 27001 certification?
A prerequisite for certification is, of course, a functioning ISMS that is structured according to the requirements of ISO/IEC 27001 (as part of the ISO 27000 family).
ISO/IEC 27001 consists of a combination of technical and management aspects with a focus on risk analysis and treatment. The technical aspects are found in Annex A of the standard, known as the "114 Controls" and include the specifications for securing a system. These include, for example, the classic password procedure, encryption procedures, and supplier relations or compliance requirements.
An integral part of ISO/IEC 27001 certification is the processing of a Statement of Applicability (SoA).
Creating the SoA is not just a formality. It is closely linked to the risk management in your company and the corresponding version appears with the date of issue on the respective ISO/IEC 27001 certificate.
The SoA acts as a bridge between risk assessment, risk treatment and listed measures (controls) from the ISO/IEC 27001 standard, but not only that: In addition to assessing all necessary controls, the legal as well as industry-specific risks should also be assessed here and summarized in the SoA with the applicable measures.
In this way, your declaration of applicability corresponds to the current status, which is confirmed in the certificate.
That depends entirely on your company: Resources, competencies, processes, structure, technology. What is suitable for one organization does not necessarily produce the same success in another. You have several options here, which you can combine to best suit your capabilities:
- You hire a consultant who has the appropriate qualifications and experience in information security management systems.
- You have capable employees within your own ranks who you can train to become experts. For example, our academy offers courses to become an information security officer (also online). The training is demanding, but a worthwhile investment in the long term, because it's not just about implementing the system and complying with the law, but about continuously improving your ISMS.
- There are also many tools and programs on the market that include templates, for example, to help you document and guide you through the process of implementation.
Unlike other management systems, the purpose of the ISMS is not to achieve specific results (e.g., product quality in quality management), but rather to prevent potentially harmful events. The goal of an ISMS is to minimize or even eliminate the risk for certain situations. An ISMS is, so to speak, applied risk management.
Principle process in a nutshell:
- Identify all assets (related to information).
- Identify and assess the risks associated with the assets
- Plan and implement measures to reduce unacceptable risks
- Evaluate the effectiveness of the implemented measures and update the risk assessment
After the introduction and implementation of all processes and the measures for risk reduction, a comprehensive internal audit is performed to determine whether the ISMS meets all required external and internal requirements - the internal audit.
For their internal audit, GUTcert customers benefit from a complex checklist that they receive from us after placing the order. By checking your information security management system against this checklist, you can assess whether the measures and solutions of your ISMS meet the audit requirements. If you want to be on the safe side, you have the option of using the expertise of an external auditor - in this case, you commission a pre-audit (GAP analysis).
Every organization is unique and in a different phase of development. That's why we are happy to create an individual offer, specifically adapted to your needs.
We analyze the following factors, among others, when preparing your offer:
- the desired scope of the certification
- the size of the company, number of locations, number of employees
- IT-specific solutions, encryption, etc.
- other existing management system certifications, if applicable
5 steps to your ISO/IEC 27001 certificate
Once your ISMS has been successfully established, you can have it externally certified. The certification process at GUTcert comprises five steps:
- Offer and order
- You contact us via our website, by phone or e-mail.
- After an initial contact, we send you our questionnaire, in which we record all data relevant to the offer.
- On the basis of your completed questionnaire, we clarify any open questions in direct contact.
- We calculate the necessary effort for the entire validity period of the certification (3 years) and send you our offer.
- Upon request, we will hold a preliminary meeting with you. We will answer your questions about the procedure and discuss the next steps for your certification.
- You send us your order, we then request a formal confirmation of the certification contract from you.
- Preparation for the audit - IST analysis
- The certification body determines the audit team according to your requirements and informs you about it
- Review of the documentation of your ISMS
- If required, pre-audit (gap analysis)
- Preparation of the audit program by the certification body (procedure, dates, necessary documents)
- Stage 1 - Assessment of certification readiness
- Review of the structure and scope of the management system
- Documentation (declaration of applicability, SoA)
- Inspection of the management center
- Report stage 1
- Planning for stage 2 audit
- Stage 2 - comprehensive audit of the ISMS
- Site audit includes introductory meeting, interviews, site tour, observation of activities, document review, final meeting
- Stage 2 report with a recommendation for certification
- Certification decision
- Review of the audit documentation by the certification body
- Decision on certification by independent auditors
- Issuance of an ISO/IEC 27001 certificate (valid for 3 years)
GUTcert is accredited for information security auditing according to ISO/IEC 27001 by the German Accreditation Body (DAkkS).
The certification cycle is three years from initial certification:
- Year 1 - first review audit
- Year 2 - second review audit
- Year 3 - recertification audit
ISO/IEC 27001 certification with GUTcert
We attach importance to audits that bring real added value to our customers: Our auditors are subject matter experts and provide valuable advice on how to optimize your processes and measures. In this way, we guide you through the maze of legal regulations into the "safety zone". In association with our parent company AFNOR Group, we operate worldwide.
You receive from us:
- A customized, individual offer based on the qualitative and quantitative analysis of your data
- Support through a video pre-talk / interview
- If required, a pre-audit (gap analysis)
- Professional support from an individual account manager focusing on your specific concerns throughout the certification process
- A certificate that counts for something in the national and international marketplace
- Expert knowledge in the training courses of our GUTcert Academy - in presence, online or as an eLearning format.
You have already established other management systems? If so, we can provide you with everything you need from a single source in an integrated management system. Combined certification with ISO 9001, ISO 50001, or ISO 14001, for example, saves you work and resources - and therefore money.
Contact us today by e-mail or telephone - we will be happy to answer your questions.
Change of certifier
Should you wish to terminate the cooperation with your current certification body, we will be happy to take over your ongoing certification process. Find out more about our changeover service.
The energy industry, as part of the critical infrastructures, is considered separately by the legislator: For companies whose activities include grid operation, energy generation and storage, proof of an information security management system in accordance with ISO/IEC 27001 is not sufficient. The special requirements for this area have been summarized in industry-specific IT security catalogs (ITSK).
IT security catalog in accordance with Section 11 (1a) of the Energy Industry Act (EnWG)
The requirements of the IT security catalog pursuant to Section 11 (1a) of the Energy Industry Act were introduced as mandatory for the first time for the network operator sector (electricity and/or gas). The IT security catalog explicitly requires proof of certification in accordance with ISO/IEC 27001 and implementation of the requirements listed in the security catalog.
IT security catalog pursuant to Section 11 (1b) of the Energy Industry Act (EnWG)
For the energy generation and storage sector (electricity and/or gas), the requirements of the IT security catalog pursuant to Section 11 (1b) of the Energy Industry Act became mandatory. Affected are electricity generators or electricity storage facilities that have more than 104 MW of electrical connected load and gas storage facilities that have more than 5,190 GWh/year of withdrawn work. This threshold value is derived from the CRITIS Ordinance.