ISO 27001 Certification

For companies, ISO 27001 certification is influenced by the complexity of the business model and the expected risk profile. Typically, an organization’s IT infrastructure will reflect its business model and corporate philosophy. The more complex the constellation of software, hardware and business processes, the more complex an ISO27001 audit will be.

How does a company obtain ISO certification?

In order to receive ISO certification as a company, you must submit standard-compliant documentation about the management system used in your company to the certification body. You can submit your own documentation for each standard or cover several ISO standards with an integrated management system (e.g. Integrated Management System ISO 27001 + EU GDPR). We will discuss the advantages and disadvantages of an integrated management system in our separate article.

How is the ISO 27001 Level I certification audit carried out?

In stage 1, the certification capability of your ISMS is checked. Location-specific framework conditions are also compared with the expected documentation. The necessary information on the scope is also determined.

The following will be examined in audit stage 1:


  • Is there conformity and completeness of the documents submitted with regard to the ISO 27001 standard?
  • Is the implementation of the management system actually present in the company?
  • Can the level of implementation of the management system be determined?
  • Are relevant documents missing from the ISMS presented?

Based on the findings from audit level 1, the auditors can create an audit plan. This requires appropriate knowledge of the organization and the management system.

How is ISO 27001 Level II certification audit done?

The purpose of audit stage 2 is to examine the effectiveness of the management system introduced. Auditors take targeted samples along the process chains. The random samples help to clarify whether the requirements of the standard are being met. Audit planning provides the roadmap for the lead auditor and his co-auditors. The auditors also check organization-specific documents for compliance with general and industry-specific principles (laws, industry-specific, required standards, etc.).

As part of the final audit meeting, the auditors explain any deficiencies or deviations that may have been identified in the audited company. They show how these items affect the audit result. In the event of non-conformities, the company’s top management undertakes to initiate the necessary corrective actions. Root cause analysis can help better understand what needs to be done. If necessary, the audit team later checks whether the proven measure made the expected correction possible.

Who needs ISO 27001 certification?

Both B2B and B2C companies need one or more certifications according to certain ISO standards. Where there are high risks for employees or customers, companies are often forced to acquire at least an ISO 9001 certificate. However, there is no legal obligation that forces companies to carry out ISO certification. Insurers, banks and major customers in particular indirectly force companies to introduce a certified management system.

The following risks force companies to introduce:

  • Occupational safety risks (e.g. risk of accidents at workbenches)
  • Product safety hazards (e.g. danger to children due to defective toys)
  • Cyber risks (e.g. data breaches, theft of customer lists, industrial espionage)
  • Environmental risks (e.g. transport accidents, toxic discharges, seeping machine oil)

What ISO certifications are there?

There are the following ISO standards that can be most important for many companies

  • ISO 9001: Quality management
  • ISO 14001: Environmental management
  • ISO 27001: Information security
  • ISO 30001: Risk management
  • ISO 45001: Occupational health and safety management
  • ISO 50001: Energy management
It is important to note that not every certification body is accredited for a specific standard or the latest version of the standard. As a result, an outdated standard would otherwise result in high costs due to an early transition audit. Especially in the UK, not all certification organizations are yet accredited to the new ISO 27001:2022 standard. They are therefore allowed to carry out audits to a limited extent, but are not allowed to issue a certificate according to the 2022 standard.
ISO 27001 Regelwerke können komplex oder schlank gestaltet werden

What advantages do ISO certifications offer?

The organizational processes are not left to chance, but are specifically documented and improved. This reduces operating costs, claims, insurance costs and risks. The value added returns, margins, sales figures and company valuations increase.

The main external impact of an ISO certificate is the quality signal to the market in which suppliers and customers can be found. The company stands out from the rest of its competitors. Customers see certified companies as established and professional companies. This creates an appreciation in the buyers’ minds: the supplier appears reliable, sustainable, high-quality and efficient enough to guarantee long-term cooperation.