Certification according to ISO 27001

Coordinated by the European Committee for Standardization (CEN), DIN EN ISO/IEC 27001:2017-06 combines the two corrections (Corrigenda) Cor 1:2014 and Cor 2:2015. The changes associated with the correction only contain an improved description of the associated requirements, but no new, additional requirements. Certificates based on the 2013 version therefore remain valid. 

The internationally valid ISO 27001 standard for information security management systems applies worldwide. It provides organizations of all sizes and sectors with a framework for planning, implementing and monitoring information security. The requirements are applicable generally and suitable for private and public companies as well as non-profit institutions. We would be happy to help you if you want to have the information security of your company or organization certified.

According to the German Federal Office for Information Security (BSI), companies that belong to a Critical Infrastructure Sector (KRITIS) and exceed a certain threshold value must provide proof of precautions taken to ensure information security. Critical infrastructure sectors include energy, water, health, finance and insurance, food, transport and traffic, information technology and telecommunications. Corresponding proof of implementation may be provided through security audits, tests or certification. For this purpose, either recognized standards such as ISO 27001 or, alternatively, BSI-recognized industry-specific security standards (B3S) may be used as a basis for auditing.

• (1) Getting to know each other and defining goals
  The first step is to discuss your organization and the goals of an ISO 27001 certification with our auditors. Based on these discussions, you will receive an individual offer tailored to the needs of your organization. 
• (2) Pre-audit and project planning meeting 
  These steps prepare the actual audit. A meeting for project planning may be useful, for example, for larger projects in order to better coordinate schedules and the conduct of the audit conduct in multiple locations or regions. The pre-audit offers the opportunity to identify strengths and potential for improvement of the system in advance.
• (3) Audit - Stage 1 and 2
  The certification audit starts with an analysis and evaluation of your system and determines whether your management system is ready for certification. In the next step, your auditor evaluates the effectiveness of the management processes on site by comparison to the requested standard(s). The results are presented at a final meeting and, if necessary, action plans are agreed upon.
• (4) System evaluation
  After the audit the results are evaluated by DQS's independent certification committee. If all requirements are met, you will receive the ISO 27001 certificate.
• (5) Surveillance audits and recertification
  Every six months or annually, major components of the system are re-audited on site to achieve further improvements. The certificate expires after three years at the latest, but recertification is carried out before this period expires to ensure continuous compliance with the requirements.

Even though the ISO 27001 audit must be carried out according to structured criteria, the costs depend on various factors, including the complexity of your company. For this reason, no package offer can be made that suits every company. Among other things, the following four criteria are the basis for determining the costs of certifying your ISMS according to ISO 27001. Depending on the assessment, a reduced, normal or increased time and effort is the basis.

1. How complex is your information security management system?

Here we take into account the critical assets of your company (e.g. patents, personal data, facilities, processes). The time and effort needed for the audit is primarily based on the information security requirements and to what extent confidentiality, integrity and availability are affected: 

• Extent of sensitive or confidential information processed in the IT network
• Number of interfaces and business processes
• Number of business units affected

2. What is the core business of your company within the scope of the ISMS?
At this point, the risks associated with your business processes play an important role in determining the necessary audit effort. Legal requirements are taken into account as well as complex, individual customer requirements.

3. Which are the main technologies and components used in your ISMS?

During the audit, the technology and the individual components of your ISMS will be examined. This includes IT platforms, servers, databases, applications and network segments. As a rule: the higher the proportion of standardized systems and the lower the complexity of your IT, the lower the effort and the lower the costs for an ISO 27001 certification may be.

4. What is the percentage of in-house developments in your ISMS?

If there is no internal development and you mainly use standardized software platforms, the effort of an assessment is lower. If your ISMS is characterized by intensive use of proprietary software that is used for central business areas, the effort for certification will be higher.

In order for us to be able to give you an overview of the costs for an ISO 27001 certification, we need precise information about your business model and the scope of your ISMS in advance. This will enable us to provide you with a customized offer. Please contact us directly here, your personal contact person will advise you. 

In order to certify an information security management system, the respective certification body itself must be accredited according to ISO/IEC 17021 and ISO/IEC 27006. ISO/IEC 17021 regulates conformity assessment topics, especially requirements for institutions that audit and certify management systems. ISO/IEC 27006 defines strict requirements which certification bodies must comply with for the assessment and certification of an ISMS according to ISO 27001.

These include:

• Proof of predefined time and effort for audits
• Requirements for the qualification of auditors

No matter which industry your company is active in, you can rely on the extensive expertise of DQS auditors. They have many years of experience in the evaluation of information security and other management systems for different industries.

DQS GmbH is accredited by the German Accreditation Body DAkkS and thus authorized to conduct audits and certifications according to ISO 27001.

No matter which industry your company is active in, you can rely on the extensive expertise of DQS auditors. They have many years of experience in the evaluation of information security and other management systems for different industries. 

Each certification is planned individually, tailored to the circumstances and goals of your company. In our audits you will receive valuable impulses with which you may further develop your system and increase the performance of your organization. We take a close look at the processes and your management system.

This is what our customers say:

"With every audit and every potential for improvement we receive new insights and benefit from the many years of experience of our DQS auditors".

Tobias Hauk, Head of Integrated Management Systems at Rudolph Logistics

We would be happy to send you an overview of the costs for an ISO 27001 certification. Request the offer now and your personal contact will get in touch with you and advice you.