Security concept, audit & implementation



With the ISO/IEC 27001 certification, you demonstrate the proper design of an information security management system (ISMS) in your company. The advantages of such certification are numerous. The original text of the standard is rather unwieldy. We provide you with expert and professional advice on the requirements and are happy to support you with the implementation.

Areas of application for ISO 27001

What information do you want to protect in your company, organization or institution? That is the key question.

The ISO 27001 specifications do not specify any fixed areas of application for information security per se. Instead, the standard requires you to define (at least) one area of application yourself.

You therefore decide for yourself in which areas of your company you want to implement the ISO standard and determine the relevant topics. These may primarily be external factors such as security updates for your software, innovations in data protection, cyber attacks or new security technologies. However, internal topics are just as possible, e.g. securing data and information in the home office, a secure in-house WLAN or the security of production facilities.

ISO 27001 can be used company-wide or limited to specific processes, departments or teams. The requirements of the standard demand that you take into account the interests of all groups involved and coordinate the management of information security accordingly.

To determine the scope of ISO 27001 in your company, you need to analyze which specific threats exist, which areas in your organization are affected and which requirements need to be taken into account in order to protect them.

Important: ISO 27001 requires the creation of a document in which you define the scope of application.

This is how you describe the ISO 27001 scope:

  • Context of the organization (internal and external topics)

  • Requirements/interested parties

  • Interfaces with the outside world

  • Dependencies between ISMS and the outside world

  • Location description

Organizational units (organizational charts)

Defining the scope for ISO 27001 may seem quite complex at first, but it is very helpful for understanding the necessary security requirements and focusing on the really key issues. ISO 27001 supports you not only in protecting your sensitive data, but also in recognizing it.

Benefits of ISO 27001 Certification for Your Business

What is the value of a complex, automated network monitoring system if the door to your data center is not locked? The preparatory work for certification already provides you with important insights into central procedures and processes.

As ISO 27001 also prescribes internal controls and regular audits, a positive error culture is implemented: security deficiencies are rectified immediately and constant optimization ensures a high level of data security in your company. This flows into your customer relationships as direct added value – as a marketing asset and unique selling point, but also as a basis for trusting cooperation with business partners.

Your internal organization is also strengthened by the enforced definition of roles and responsibilities; this is especially true for companies that have grown considerably.Last but not least, consistent enforcement of data security in the company also ensures a long-term reduction in costs – on the one hand through fixed processes that can be used as an efficient guide for recurring procedures, and on the other hand through the avoidance of security-related incidents. Whether it’s a failed telephone system or a warning for non-compliance with data protection guidelines, such unplanned costs can be considerable.

Benefits of ISO 27001:

  • Continuous information security
  • Compliance (proof of legal requirements)
  • Safety as a corporate culture
  • Marketing strategy
  • Cost reduction
  • Risk minimization
  • Reduction of liability
  • Worldwide recognition

Typical handover objects in IT emergency management are essentially the required documents from BSI Standard 100-4, the guideline for emergency management (if applicable as a guideline in the ISMS):

  • the emergency preparedness concept
  • the Business Impact Analysis (BIA)
  • the risk analysis
  • the emergency manual

In addition, an exercise manual, an exercise plan, exercise concepts and protocols as well as a training and sensitization concept for your company are created. Reports, logs and other recording aids also serve as supporting documents or bases for decisions.

The emergency plans provided also give you specific instructions for action with the aim of minimizing possible downtimes of your IT systems and IT applications so that regular operations can be resumed promptly in the event of a malfunction.

A strong partner – always at your side

Your Professional ISO 27001 Standard Consulting from CYBER CURRICULUM®

Certification to the ISO 27001 standard is not only relevant to your company’s security, but also brings many other advantages in a highly competitive market. The requirements of the standard are extensive and not very user-friendly. In addition, their implementation requires a high level of willingness on the part of both management and employees to change familiar processes, procedures and responsibilities. We offer you our professional support so that you do not fail to meet these requirements and hurdles.

The implementation of ISO 27001 can only succeed if it follows a stringent concept. This requires sufficient resources. Allow several months for preparation and implementation. Initially, it may be easier to implement the requirements of ISO 27001 in a single area.

The first step in implementing an ISMS is to define its scope. It is just as important for management to define an information security policy.

Risk assessment and risk treatment are the most complex steps in ISO 27001 implementation. In the risk assessment report, you document all measures that you have carried out during the risk assessment and treatment. Unacceptable risks must be controlled and reduced as far as possible. You need a permit for any residual risks.

In the Statement of Applicability, you list all the controls that you will use to back up your data. ISO 27001 provides a total of 114 possible controls. Even if you do not need all of them, you must explain which mechanisms you want to use and why, and which you do not want to use. The associated objectives must also be documented in each case.

The risk treatment plan is used to implement the defined controls. This implementation plan defines who is to carry out which control when and with which budget, to whom it is to be reported, etc. The more precise you are here, the easier it will be to measure the effectiveness of the controls later on.

Based on this documented information, four mandatory data security procedures are now implemented in your company: Document management must define how documents are distributed, utilized, filed, stored, etc. within the company. A procedure for internal audits regulates responsibilities and accountabilities, reports and their storage. A management review process must be defined to ensure that the management level regularly reviews the ISMS. Finally, you need to define how your company will deal with any errors and corrective measures found in the course of all these checks.

Both BSI and ISO 27001 are standards for the security of data and information. Every company has a duty to ensure the security of its data and the data of its customers.

BSI IT baseline protection goes a step further than the requirements of ISO 27001. This provides you with a compendium of requirements, implementation measures and risks, enabling you to implement data protection in even greater detail and intensity. However, the BSI basic protection is only recognized as a security standard within Germany. For this reason and due to its high level of detail, it is primarily implemented by authorities and institutions that handle extremely sensitive data. However, companies from the security sector and critical sectors are also increasingly using BSI basic protection on the basis of ISO 27001.

As soon as your company becomes internationally active, serving customers or website visitors from abroad, the internationally recognized ISO 27001 is an indispensable “state of the art” licensing.

It is also possible to combine both standards: Implement ISO 27001 company-wide and apply BSI basic protection in individual, highly sensitive areas. Although the introduction of an ISMS is the basic prerequisite for certification for both standards, different reference documents must be created for each. So you have to decide at the beginning of the process which direction you want to take.

Your benefits

Design, implementation and expansion in accordance with ISO 27001

At CYBER CURRICULUM®, highly qualified security experts with the relevant certifications work for you.

Individualized templates for your company

We create an IT security concept tailored to your situation, optimized according to cost/benefit effects.

Supporting the conception and planning of measures

We guide you step by step through the ISO 27001 certification process and provide targeted support where it is necessary and desired.

Support and
accompanying audits

Our experienced experts will be happy to assist you with data security audits to ensure efficient and successful certification in accordance with national and international standards.

Training & education for your employees

We guide you step by step through the ISO 27001 certification process and provide targeted support where it is necessary and desired.

Implementation of documentation

Stringent documentation of all measures is required to ensure that the ISMS can be monitored, and we work with you to develop the basis for this.

Have we caught your Attention?

Are you ready to secure your organization?

At CYBER CURRICULUM®, we guide you step by step through the design and implementation of ISO 27001, train your team, and lead you successfully to certification. Arrange a consultation with our experienced IT security experts now.