THREAT BRIEFING · 15.07.2026 DEENFRES

Strategy & Governance

Why an ISO Certificate Alone Is Not Enough for the BSI

By Benedikt Langer · June 19, 2026 · 10 min read

Since December 6, 2025, the amended BSIG has applied. According to the BSI, the number of supervised entities is growing from around 4,500 to approximately 29,500. Many of them have an ISO 27001 certificate on file and consider themselves secure. The BSI states clearly in its information package on the standard: ISO certification is neither NIS2 compliance nor admissible evidence in supervisory proceedings.

Key Takeaways

  • No Substitute: The BSI explicitly does not recognize an ISO 27001 certification as proof of compliance under the BSIG. The supervisory authority reviews Sections 30, 32, and 38 directly.
  • Significant Overlap: The BSI mapping table assigns all ten measure areas from Section 30 to specific ISO controls. A clean ISMS noticeably reduces implementation effort.
  • Three Gaps: Scope, risk acceptance, and the mandatory official notification requirement are not addressed by the standard in this form. This is precisely where the reflex to simply present the certificate fails.
  • Executive Responsibility: Section 38 obliges executive management personally to implement, monitor, and provide regular training. This duty cannot be delegated to a certificate.

Related:NIS2 After the Deadline: BSI Supervision Begins Now  /  Adaptive MFA in the NIS2 Audit

Three BSIG Obligations Your ISO Audit Knows Nothing About

What Is NIS2? NIS2 is the EU directive on network and information security, transposed into German law through the amended BSIG. It requires affected entities to manage risks, report significant incidents, and register with the BSI, with personal responsibility resting with executive management.

The certificate remains a strong foundation in this context. According to the BSI mapping, a living ISMS covers a large portion of the legal measures. Just not all of them. Knowing the gaps saves costly duplication and rework during the first audit.

Whether an entity falls under the law depends on its sector and size. Its own security level plays no role in determining applicability. Section 28 BSIG distinguishes between particularly important and important entities; KRITIS operators are automatically classified as particularly important. Those affected carry three central obligations that an ISO auditor does not examine as part of certification.

The first is registration under Section 33. The second is the reporting of significant incidents under Section 32. The third is risk management including documentation under Section 30. ISO 27001 is a voluntary standard; the BSIG is enforceable law backed by a supervisory authority. This is the core of the misunderstanding: an auditor certifies a management system; an authority demands compliance with specific statutory obligations.

The BSI articulates this distinction unambiguously in its information package for the standard. Certification is good evidence of maturity level, but it does not count as proof of compliance in supervisory proceedings.

Where ISO 27001 Already Holds Up According to the BSI Mapping

The good news is in the BSI’s official mapping table. Section 30(2) lists ten mandatory measure areas, from risk analysis through incident response and business continuity to supply chain, cryptography, and multi-factor authentication. For each of these areas, the BSI names the corresponding clauses and controls from ISO 27001 (2022 version).

In concrete terms: Anyone operating a living ISMS already has most of the building blocks in place. Risk registers, incident response playbooks, supplier assessments, a cryptography policy, and an MFA roadmap directly contribute to the statutory areas. The BSI notes that certification can reduce implementation effort. The authority deliberately does not name a fixed percentage. Anyone who invents one is selling false precision.

One caveat remains. The mapping is informational in nature and has no legal binding force. An implemented ISO control fulfills the statutory obligation only if scope and depth of implementation are correct. And it is precisely at these two points that the gaps open up.

Three Gaps That a Certificate Does Not Close

The first gap concerns scope. Under ISO 27001, the organization defines its scope itself, often limited to a department, a location, or a single process. The BSIG does not grant this freedom. The measures apply to the regulated services and the IT systems that deliver them. A certificate that covers only the IT department usually does not satisfy the statutory requirement.

The second gap lies in risk treatment. ISO allows risks to be consciously accepted or transferred via insurance. Section 30, by contrast, requires the actual implementation of appropriate measures in line with the state of the art. Blanket acceptance of relevant risks does not hold up before the supervisory authority. Anyone maintaining an honest risk register should review every entry marked as accepted against the statutory implementation obligation.

The third gap is the notification obligation. An incident response process under ISO governs internal escalation. However, it does not include a reporting channel to the authority. Section 32 requires a three-stage notification to the joint reporting office of the BSI and BBK: an early warning within 24 hours, a follow-up report within 72 hours, and a final report within one month after the follow-up report. The BSI’s guideline is speed before completeness. An internal notification to one’s own security team does not replace this obligation.

The following overview summarizes where the certificate holds up and where the law goes further.

Topic ISO 27001 Typically Covers BSIG Additionally Requires
Scope Scope freely selectable, often a single unit Measures for all systems of the regulated services
Risk Treatment Acceptance and transfer of risks permitted Mandatory implementation under Section 30; no blanket transfer
Incident Response Internal escalation and IR processes Authority notification under Section 32: 24h, 72h, one month
Executive Management Management review, approval of the policy Personal obligation under Section 38: implementation, monitoring, training
Registration Not part of the standard Registration under Section 33; supervision without certificate as proof

Section 38: Why Executive Management Remains Personally Responsible

Perhaps the most important difference is set out in Section 38. Executive management must implement the risk management measures under Section 30 and monitor their implementation. This duty is personal and cannot be delegated to the CISO or to a certificate. In the event of culpable breach, liability for damages applies according to corporate law standards.

In addition, there is a training obligation. Executive management must undergo regular training to be able to identify and assess risks. The ISO management review under Clause 9.3 covers organizational steering. It does not replace the statutory personal responsibility of management.

A clarification is important here because it is often quoted incorrectly. The EU Directive refers in Article 20 to approval of the measures by the management bodies. The German BSIG is more narrowly worded and requires implementation and monitoring. Anyone internally speaking of “approval” should be aware of the EU reference and not act as if the word appears in the German law. In practice, the obligation means: documented approvals, a fixed reporting cadence, and verifiable training for management.

What Must Be Completed Before the First Incident

In addition to the ongoing obligations, there is registration. Under Section 33, an affected entity must register no later than three months after first becoming subject to the law, via the company account and the BSI portal, which has been available since January 6, 2026. KRITIS operators proceed via the KRITIS Framework Act. The supervisory authority can order audits under Sections 61 and 62. Even there, the ISO certificate does not count as recognized proof of compliance.

It therefore makes sense to maintain a separate evidence file that is kept independently of the ISO audit cycle. It bundles the documentation under Section 30, the notification processes under Section 32, the management training records under Section 38, and the registration under Section 33. Anyone who cleanly separates these four building blocks can quickly provide what would otherwise be scattered across an ISO folder structure in the event of supervision.

The pragmatic path for already certified companies leads to the goal in five steps. Check applicability under Section 28. Compare the ISO scope against the legally required operations. Conduct a structured gap analysis against the ten areas from Section 30, using the BSI mapping table as a checklist. Set up the notification process with clear deadlines and portal access. And actively involve executive management, with training and documented monitoring. The certificate provides a real head start. It does not relieve anyone of the statutory obligations.

Frequently Asked Questions

Each question is locked. Tap to unlock the answer.

Does Our ISO 27001 Certification Suffice to Be NIS2 Compliant?

No. The BSI explicitly states in its information package for the standard that certification does not mean NIS2 compliance. The certificate is a good foundation but does not replace the gap analysis against Section 30 and the additional obligations under Sections 32, 33, and 38.

Do We Have to Report Incidents If We Already Have ISO Incident Management?

Yes, separately under Section 32. An incident response process under ISO governs internal escalation, but it does not include a reporting channel to the authority. What is required is a process bridge that classifies a significant incident and triggers the deadlines of 24 hours, 72 hours, and one month.

Can We Submit the ISO Certificate to the BSI as Proof?

Not as proof of compliance. The supervisory authority examines Sections 30, 32, and 38 directly. The certificate can supplementarily document that a management system exists, but it does not replace statutory record-keeping.

What Must Executive Management Do Personally?

Section 38 requires implementation and monitoring of the measures as well as regular training; in addition, management is liable for culpable breach of duty. Signing the security policy alone is not enough. Training records and a documented monitoring process must be maintained separately.

Does ISO 27001 Cover the NIS2 Notification Obligation?

No. The BSI explicitly names the notification obligation under Section 32 as a point that the standard does not cover. An internal IR process and a statutory notification to the joint reporting office are two different things.

Editor’s Recommended Reading

Editor’s Picks

Editor’s PickNIS2 after the deadline: Now the BSI supervision beginsEditor’s PickNIS2 and Coordinated Disclosure: Out of the Grey AreaEditor’s PickThe emergency plan that nobody practiced.

More from the MBF Media Network

Digital ChiefsGeopolitics Meets the Data Center Roadmap: What CIOs Must Secure NowMyBusinessFutureEU AI Act from August 2026: What labelling obligations really affect SMEscloudmagazinXFS4IoT Meets the Cloud: The ATM Becomes a Platform

Further reading

News · July 2, 2026

When Attackers Are Faster Than the Patch

Between disclosure and exploitation of a vulnerability, only days often pass today. The State of Vulnerabilities Report 2026 reveals what matters now.

A magazine by Evernine Media GmbH