What Is ISO 27001? Definition, Certification, and Differences
What is ISO 27001? ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It sets out requirements for organizations to plan, operate, monitor and improve information security. A certificate confirms an audited management system and process maturity. It is not proof that systems cannot be technically compromised. The current version is ISO/IEC 27001:2022.
Key Takeaways
- Scope: international standard for an Information Security Management System (ISMS), certifiable by accredited auditors.
- Core: the certificate confirms an audited management system and process maturity. It is not proof of technical invulnerability.
- Driver: key customers increasingly demand the certificate from suppliers and thus shape supply chains.
What ISO 27001 actually means
ISO/IEC 27001 is the international standard for an information security management system, short ISMS. It defines how an organization systematically plans, operates, monitors and improves information security. The standard follows the Plan-Do-Check-Act cycle and demands a risk-based approach. It is the most widely used standard worldwide for an ISMS and is established in many industries.
Annex A of the ISO/IEC 27001:2022 version
four topic areas instead of 14 chapters
The current version ISO/IEC 27001:2022 fundamentally revised Annex A. The control measures are now grouped into four topic areas: organizational, personnel, physical and technological Controls. Overall, Annex A comprises 93 Controls. The transition period for certificates under the predecessor version ISO/IEC 27001:2013 ended on 31 October 2025. Those who are already certified or seeking a new certificate are moving to the 2022 version.
What the Certificate Really Means
The ISO-27001 certificate is a management system certification. It attests that an organization has implemented an ISMS that meets the standard’s requirements and has been audited by an independent, accredited body. The process maturity is evaluated: Is there a risk analysis? Are the defined controls effective and is the system regularly monitored?
What the certificate does not attest to is technical invulnerability. A certified company can still fall victim to an attack. The standard requires systematic risk management, not a fixed set of specific technical measures. ISMS security and checklist security are different things: A completed audit is not equivalent to a penetration test.
In practice, this gap often leads to unmet expectations. A certified company can be hit by a zero‑day exploit or become a victim of a social‑engineering attack. Conversely, a perfectly configured firewall offers little protection if there is no documented risk analysis and clear responsibilities.
The Path to Certification
Certification proceeds in two stages. The Stage 1 audit examines the documentation: are all components of the ISMS fully described and matched against the standard’s requirements? The Stage 2 audit assesses on‑site implementation, using spot checks of processes and documentation.
Upon successful completion, the certification body issues the certificate. It is valid for three years. During this period, annual surveillance audits are conducted to ensure that the ISMS continues to meet the requirements. After three years, re‑certification takes place, re‑opening the cycle.
Differentiation from Related Terms
In the German-speaking region, ISO 27001 has two key reference points. The first is BSI IT Basic Protection. IT Basic Protection is the German approach to an ISMS and is published by the Federal Office for Information Security (BSI). It is compatible with ISO 27001 and in many points more detailed. A combined certificate is possible: an ISO 27001 certificate based on an IT Basic Protection analysis. Those who require very detailed specifications often find IT Basic Protection to be the more direct path.
The second reference point is NIS2. The directive requires affected companies to implement risk management and provide evidence of its effectiveness. ISO 27001 helps demonstrate a functioning risk management system. However, the standard does not replace statutory compliance. Entities covered by NIS2 must meet the specific requirements of the national implementation law. The certificate is just one component, not an automatic proof of compliance.
Why Companies Pursue the Certification
A strong driver in practice is supply chain requirements. Large customers increasingly demand the ISO/IEC 27001 (International Organization for Standardization – Information Security Management) certification from their suppliers, often as proof in tenders and supplier audits. Those who cannot provide the certification lose contracts or receive less attractive terms. This B2B effect resonates deeply throughout the value chain.
For IT managers and CISOs, the certification serves both as protection and a lever. It compels documented risk analysis, clear responsibilities, and a demonstrable improvement process. At the same time, it opens doors in tenders and new customer acquisition. When used as an operational control instrument, it provides a framework for demonstrable security.
Frequently Asked Questions
Every question is locked. A tap unlocks the answer.
What is ISO/IEC 27001:2022?
ISO/IEC 27001:2022 is the current version of the standard. It revises Annex A and organizes the control measures into four topic areas instead of the previous 14 chapters.
Does an ISO-27001 certification guarantee security?
No. The certificate attests to an audited management system and thus process maturity. It is not proof that systems cannot be technically compromised.
How does an ISO-27001 certification work?
The certification is carried out in two stages: Stage 1 reviews the documentation, Stage 2 verifies on-site implementation. The certificate is valid for three years, with annual surveillance audits and a recertification after three years.
Does NIS2 require ISO-27001 certification?
No. NIS2 mandates risk management but does not set a specific standard. ISO 27001 helps demonstrate such risk management, but does not replace statutory compliance under NIS2.
How does ISO 27001 differ from BSI IT baseline protection?
BSI IT-Grundschutz represents the German approach to an ISMS and, in many respects, offers greater detail. The two methodologies are compatible. An ISO‑27001 certification can be granted on the basis of an IT‑Grundschutz assessment.
Editor’s Picks
Editor’s PickWhat Is NIS2? Definition, Obligations, and LiabilityEditor’s PickWhat Is the CRA? Obligations for Digital ProductsEditor’s PickWhat Is DORA? Definition, Obligations and Deadlines
More from the MBF Media Network
MyBusinessFutureThe AI oversight in Germany now has an addressDigital ChiefsCyber Insurance 2026: Premiums Doubled, Coverage Halved – The Calculation No CFO Wants to See




