Skip to main content
International ISMS standard

ISO 27001 Information security with system

The world's leading standard for information security management systems. We build your ISMS to ISO/IEC 27001:2022 and guide you through to accredited certification – systematic, risk-based and audit-proof.

93

Controls (Annex A)

4

Theme categories

4–10

Normative clauses

3 years

Certification cycle

The fundamentals

What is ISO/IEC 27001?

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It defines requirements for establishing, operating and continually improving a system with which organisations manage their information security risks systematically. The current edition is 2022, supplemented by Amendment 1:2024 (climate-change reference).

Internationally recognised

The world's most widely used ISMS standard – independent of industry and size, recognised by clients, partners and in tenders.

Risk-based

Controls are selected by risk rather than across the board – documented in the risk treatment plan and the Statement of Applicability.

Certifiable

An accredited certificate (via DAkkS-accredited bodies) demonstrates lived information security to third parties.

NIS2 evidence

An ISO 27001 ISMS covers a substantial part of the risk-management obligations under § 30 BSIG and serves as evidence.

The controls

Annex A: 93 controls in 4 themes

The 2022 edition structures the security controls into four themes. Which controls apply is determined by the risk assessment – with detailed guidance in ISO/IEC 27002:2022.

37
A.5

Organisational

Policies, roles, suppliers, cloud, incident management and compliance

8
A.6

People

Awareness, responsibilities and secure behaviour of employees

14
A.7

Physical

Access, securing of areas, equipment and storage media

34
A.8

Technological

Access, cryptography, hardening, monitoring and secure development

Not all 93 controls have to be implemented – the selection is risk-based, and any non-applicability is justified in the Statement of Applicability (SoA).

Building the ISMS

Clauses 4 to 10

The normative requirements follow the PDCA cycle – from context analysis through to continual improvement.

4 Context of the organisation Plan
5 Leadership Plan
6 Planning (risk assessment) Plan
7 Support Plan
8 Operation Do
9 Performance evaluation Check
10 Improvement Act

The path to the certificate

1

Stage 1 audit

Document review: is the ISMS built to the standard and ready for audit?

2

Stage 2 audit

On-site effectiveness review: is the ISMS lived in practice?

3

Certificate

Issued by a DAkkS-accredited body – valid for three years

4

Surveillance audits

Annual audits in years 1 and 2 confirm continued conformity

5

Re-certification

Full audit after three years to renew the certificate

ISO 27001, IT-Grundschutz and NIS2

ISO 27001 can be linked to BSI IT-Grundschutz via the official BSI mapping table and serves as evidence for the risk-management obligations under NIS2 / BSIG 2025.

Our services

End-to-end support for ISO 27001

From gap analysis to the certificate – we guide you through the entire cycle.

Gap analysis

Target-vs-actual comparison against all requirements of ISO/IEC 27001:2022.

  • Assessment of clauses 4–10
  • Review of the Annex A controls
  • Prioritised implementation plan

ISMS setup

Design and rollout of a complete ISMS.

  • Policy, RTP & SoA
  • Governance & roles
  • Integration with ISO 9001 / 22301

Risk assessment

Methodical identification, analysis and treatment of risks.

  • Define assessment criteria
  • Risk identification
  • Risk treatment plan

Annex A implementation

Selection and implementation of the relevant controls.

  • Statement of Applicability
  • Policy templates
  • Cloud & threat-intel controls

Internal audits

Standard-compliant internal audits to prepare for certification.

  • Audit plan & checklists
  • Conducted to ISO 19011
  • Audit report & actions

Certification support

Preparation for and support through the Stage 1 and Stage 2 audits.

  • Document review
  • Auditor liaison
  • Tracking of non-conformities

Why DLAU for ISO 27001?

Certified ourselves

DLAU is certified to ISO 27001 and ISO 9001 – we know the audit from our own experience

Current edition

Consistently to ISO/IEC 27001:2022 including Amendment 1:2024

Bridge to IT-Grundschutz

ISO 27001 based on IT-Grundschutz from a single source as well

NIS2-ready

The ISMS as robust evidence towards the BSI

Ready for ISO 27001 certification?

We get you to ISO/IEC 27001:2022 systematically – from gap analysis and ISMS setup through to a passed certification audit.

Related: IT security standards · IT-Grundschutz · NIS2