What are the ISO27001 (ISMS) requirements — A fact sheet

ISO 27001 is an international standard that outlines the requirements for an information security management system (ISMS). It specifies a systematic approach to managing sensitive company information so that it remains secure. The standard includes requirements for risk assessment, security controls, incident management, and continual improvement.

The main requirements of ISO 27001 include:

1. Risk assessment: Identify and evaluate the risks to the organization’s information assets, and implement controls to mitigate or accept those risks.
2. Security controls: Implement appropriate security controls to protect the organization’s information assets. These can include technical and organizational measures such as access controls, encryption, and incident management procedures.
3. Incident management: Establish procedures for identifying, reporting, and responding to security incidents.
4. Continual improvement: Continually monitor and review the organization’s ISMS and make improvements as necessary.
5. Documentation: Create and maintain documentation of the organization’s ISMS and the controls it has implemented.
6. Compliance: comply with relevant legal and regulatory requirements.
7. Communication: Communicate the ISMS policy, objectives and procedures to relevant parties.
8. Training: Ensure that all employees are aware of their responsibilities in relation to the ISMS and are adequately trained to carry out those responsibilities.
9. Monitoring and review: Establish and maintain an internal audit program to ensure that the ISMS is operating effectively and identify areas for improvement.
10. Management Review: Review the ISMS, its effectiveness and any necessary improvements on a regular basis with top management.

By following the requirements of ISO 27001, organizations can ensure that they have a systematic and comprehensive approach to managing the security of their sensitive information. This can help them protect against threats, minimize the impact of security incidents, and comply with relevant laws and regulations.

In Germany, certification for ISO 27001 can be obtained through a number of accredited certification bodies. These bodies are independent organizations that have been accredited by a national accreditation body to assess and certify organizations for compliance with ISO 27001.

The process for obtaining certification typically includes the following steps:

1. Initial assessment: The organization undergoes an initial assessment by the certification body to determine whether it is ready for certification. This assessment includes a review of the organization’s information security management system (ISMS) and its compliance with the requirements of ISO 27001.
2. Certification audit: If the initial assessment is successful, the organization undergoes a certification audit. This is a comprehensive examination of the organization’s ISMS, including a review of its policies, procedures, and controls. The audit team will also observe the implementation of the ISMS and interview employees to ensure that the ISMS is being effectively implemented.
3. Evaluation of results: After the certification audit, the certification body evaluates the results and makes a decision on whether to grant certification. If the organization is found to be compliant, it will be issued with a certificate of compliance.
4. Surveillance audit: After the certification has been issued, the organization will be subject to periodic surveillance audits to ensure that it continues to comply with the requirements of ISO 27001. These audits are usually conducted annually, but the frequency may be higher depending on the certification body’s requirements.
5. Recertification: Certification is valid for a certain period of time, usually three years. Organizations must pass a recertification audit to maintain their certification status.

It’s important to note that the specific requirements and procedures for obtaining ISO 27001 certification in Germany may vary depending on the certification body chosen. It’s always recommended to check with the specific certification body and ask for the requirements, process, and fees before starting the certification process.

I hope that with this post I can help you in your project.

Cheers

Reza Rezvani— Jan. 2023, Berlin