Hardly any tender in the B2B world still gets by without the question: are you ISO 27001 certified? The standard has established itself as the common denominator by which companies measure the security maturity of their partners.
What is ISO 27001?
ISO/IEC 27001 is the international standard for information security management systems, or ISMS for short. It does not describe individual products or technologies, but a management system: documented processes with which an organization identifies, assesses, and treats its information risks and continuously reviews the effectiveness of its controls.
The current version dates from 2022. Its Annex A contains 93 reference controls in four topic areas: organizational, people, physical, and technological controls. Which of these a company implements is defined on a risk basis in the Statement of Applicability. It is precisely this risk orientation that makes the standard applicable to small and large organizations alike.
How does certification work?
- Build the ISMS: Define the scope, analyze risks, select and document controls, define responsibilities and metrics.
- Operate and improve: The ISMS lives on the cycle of plan, do, check, and act, including internal audits and management reviews.
- Certification audit: An accredited certification body reviews documentation and lived practice in two stages and issues the certificate on success.
- Maintain: The certificate is valid for three years, with annual surveillance audits and subsequent recertification.
Why it matters
- The certificate is the internationally recognized proof of systematic information security, often a prerequisite in tenders and supplier assessments.
- The risk orientation directs budgets to where they reduce the greatest risk, instead of into isolated measures without context.
- A lived ISMS structurally covers many requirements of other frameworks, from NIS-2 to DORA, and thus reduces duplicated effort.
- The annual audits enforce currency: processes and controls do not become outdated unnoticed.
Typical scenarios
- A software vendor needs the certificate because a corporate customer makes it a condition of the framework agreement.
- A mid-sized company uses the ISMS build-out to bring order to risks, processes, and evidence ahead of NIS-2 registration.
- An IT service provider uses the certificate to demonstrate to financial customers the foundation on which DORA-specific requirements build.
- After a security incident, a company anchors the lessons learned permanently in an ISMS instead of in a one-time cleanup.
The path to the certificate in practice
The most common stumbling blocks are predictable. The scope is cut too large: anyone who wants to certify the entire organization on the first attempt will spend months reviewing and documenting; a wisely chosen scope around the critical processes delivers a solid certificate faster. The documentation is created for the audit rather than for everyday work: auditors reliably spot a paper ISMS, at the latest in the interview with the business units. And the effectiveness of controls remains unproven: a control without a metric, report, or sample is worth little in the audit.
It therefore helps to let evidence arise where work is happening anyway: operational reports from the managed service provider, policy states from the segmentation platform, access reviews from the identity system. This keeps the ISMS lean, and the annual surveillance audits become routine rather than a special exercise.
ISO 27001 and BSI IT-Grundschutz: the difference
Both lead to a certifiable ISMS. ISO 27001 is internationally recognized and open on a risk basis: the organization derives its controls itself from the risk analysis. The German BSI IT-Grundschutz, by contrast, works with detailed modules and specific requirement catalogs; an ISO 27001 certificate based on IT-Grundschutz combines both worlds, but is considerably more extensive to implement. For internationally active companies, native ISO certification is the common route. How the frameworks sort out overall is shown in the entry Cybersecurity Compliance .
KAEMI as your partner
KAEMI operates its own ISMS in accordance with ISO 27001; the current state of our security controls and evidence is documented in our Trust Center . We therefore know the requirements from our own implementation, from the audit to day-to-day operations. Many Annex A controls in the network and access topic areas can be implemented as a managed service and cleanly evidenced: Zero Trust Microsegmentation delivers documented, auditable network policies together with visibility into the real data flows, and a SASE/SSE architecture implements access control and secure connectivity. The reports and policy states from operations serve directly as audit evidence. KAEMI supports your ISMS officer in this; certification itself remains the responsibility of your organization and the certification body.