ISO 27001 Information security with system
The world's leading standard for information security management systems. We build your ISMS to ISO/IEC 27001:2022 and guide you through to accredited certification – systematic, risk-based and audit-proof.
Controls (Annex A)
Theme categories
Normative clauses
Certification cycle
The fundamentals
What is ISO/IEC 27001?
ISO/IEC 27001 is the international standard for information security management systems (ISMS). It defines requirements for establishing, operating and continually improving a system with which organisations manage their information security risks systematically. The current edition is 2022, supplemented by Amendment 1:2024 (climate-change reference).
-
Internationally recognised
-
The world's most widely used ISMS standard – independent of industry and size, recognised by clients, partners and in tenders.
-
Risk-based
-
Controls are selected by risk rather than across the board – documented in the risk treatment plan and the Statement of Applicability.
-
Certifiable
-
An accredited certificate (via DAkkS-accredited bodies) demonstrates lived information security to third parties.
-
NIS2 evidence
-
An ISO 27001 ISMS covers a substantial part of the risk-management obligations under § 30 BSIG and serves as evidence.
The controls
Annex A: 93 controls in 4 themes
The 2022 edition structures the security controls into four themes. Which controls apply is determined by the risk assessment – with detailed guidance in ISO/IEC 27002:2022.
Organisational
Policies, roles, suppliers, cloud, incident management and compliance
People
Awareness, responsibilities and secure behaviour of employees
Physical
Access, securing of areas, equipment and storage media
Technological
Access, cryptography, hardening, monitoring and secure development
Not all 93 controls have to be implemented – the selection is risk-based, and any non-applicability is justified in the Statement of Applicability (SoA).
Building the ISMS
Clauses 4 to 10
The normative requirements follow the PDCA cycle – from context analysis through to continual improvement.
The path to the certificate
Stage 1 audit
Document review: is the ISMS built to the standard and ready for audit?
Stage 2 audit
On-site effectiveness review: is the ISMS lived in practice?
Certificate
Issued by a DAkkS-accredited body – valid for three years
Surveillance audits
Annual audits in years 1 and 2 confirm continued conformity
Re-certification
Full audit after three years to renew the certificate
ISO 27001, IT-Grundschutz and NIS2
ISO 27001 can be linked to BSI IT-Grundschutz via the official BSI mapping table and serves as evidence for the risk-management obligations under NIS2 / BSIG 2025.
Our services
End-to-end support for ISO 27001
From gap analysis to the certificate – we guide you through the entire cycle.
Gap analysis
Target-vs-actual comparison against all requirements of ISO/IEC 27001:2022.
- Assessment of clauses 4–10
- Review of the Annex A controls
- Prioritised implementation plan
ISMS setup
Design and rollout of a complete ISMS.
- Policy, RTP & SoA
- Governance & roles
- Integration with ISO 9001 / 22301
Risk assessment
Methodical identification, analysis and treatment of risks.
- Define assessment criteria
- Risk identification
- Risk treatment plan
Annex A implementation
Selection and implementation of the relevant controls.
- Statement of Applicability
- Policy templates
- Cloud & threat-intel controls
Internal audits
Standard-compliant internal audits to prepare for certification.
- Audit plan & checklists
- Conducted to ISO 19011
- Audit report & actions
Certification support
Preparation for and support through the Stage 1 and Stage 2 audits.
- Document review
- Auditor liaison
- Tracking of non-conformities
Why DLAU for ISO 27001?
Certified ourselves
DLAU is certified to ISO 27001 and ISO 9001 – we know the audit from our own experience
Current edition
Consistently to ISO/IEC 27001:2022 including Amendment 1:2024
Bridge to IT-Grundschutz
ISO 27001 based on IT-Grundschutz from a single source as well
NIS2-ready
The ISMS as robust evidence towards the BSI
Ready for ISO 27001 certification?
We get you to ISO/IEC 27001:2022 systematically – from gap analysis and ISMS setup through to a passed certification audit.
Related: IT security standards · IT-Grundschutz · NIS2