From ISMS to successful certification and beyond
You have built your ISMS, created policies, analyzed risks and implemented measures. Now the question arises: how do you prove all of this? And how do you deal with the growing number of regulations that demand compliance evidence? Whether ISO 27001, TISAX, BSI IT-Grundschutz, SOC 2 or the newer EU regulations such as DORA, CRA and AI Act — audits and certifications are the moment of truth where it becomes clear whether your ISMS exists only on paper or is actually lived in practice. This topic page guides you through the entire audit and certification process and helps you navigate the regulatory landscape.
Internal audits: your early warning system
Before an external auditor arrives, you should take a close look yourself. Internal audits are not only a mandatory requirement of ISO 27001 but also your most important tool for identifying and addressing weaknesses early. A good internal audit systematically examines whether your documented processes are being followed in practice, whether implemented measures are effective, and whether there are gaps between the target state of your ISMS and the actual current state.
The biggest challenge with internal audits is objectivity. It is hard to critically evaluate your own work. That is why you should ensure that auditors do not audit their own areas. In smaller organizations, this might mean the IT manager audits data protection and the data protection officer audits IT. Alternatively, you can engage external auditors for internal audits, which can be particularly useful before an initial certification.
Management review: engaging executive management
The management review is the formal meeting in which executive management evaluates the performance of the ISMS. It is not a formality but a strategic management instrument. This is where internal audit results are discussed, metrics are analyzed, resource decisions are made and the strategic direction of the ISMS is reviewed. ISO 27001 defines specific inputs and outputs for the management review, and auditors carefully check whether these requirements are met.
Our article on the management review shows you how to prepare and conduct the meeting so that it meets the requirements of the standard while also delivering genuine value to executive management. Because a management review perceived as a tedious obligation misses its purpose.
ISO 27001 certification: the process
Certification to ISO 27001 is a multi-stage process. In the Stage 1 audit, the certification auditor reviews your ISMS documentation for completeness and conformity. In the Stage 2 audit, which typically takes place a few weeks later, an on-site assessment verifies whether the ISMS is actually implemented and lived. The auditor conducts interviews with employees, reviews evidence and observes processes. If no major nonconformities are found, you receive the certificate, which is valid for three years and maintained through annual surveillance audits.
The most common stumbling blocks in certification are incomplete documentation, missing evidence for the effectiveness of measures, and insufficient employee awareness. Our article on the certification process specifically prepares you for these typical weaknesses.
Industry-specific standards and regulations
Beyond ISO 27001, there is a growing number of industry-specific standards and regulations. TISAX is the automotive industry standard and is often mandatory for suppliers. BSI IT-Grundschutz offers a detailed catalog of measures that is particularly widespread in the public sector and among critical infrastructure operators. SOC 2 is primarily relevant for technology companies and cloud service providers that need to demonstrate compliance to international clients.
At the EU level, new regulations are emerging: DORA regulates digital operational resilience in the financial sector, the Cyber Resilience Act imposes cybersecurity requirements on connected products, and the AI Act creates a legal framework for the use of artificial intelligence. All of these regulations have touchpoints with your ISMS, and a well-established information security management system is the best foundation for efficiently meeting the various requirements.
Understanding Annex A of ISO 27001
Annex A of ISO 27001:2022 contains 93 controls across four thematic areas: Organizational, People, Physical and Technological. For each of these controls, you must document in your Statement of Applicability whether it is relevant and how you implement it. Our article series on the individual Annex A areas explains each control group in detail and provides practical implementation guidance for mid-market companies. From information security policies through cloud services and business continuity to cryptography and secure development — each article bridges the gap between the abstract standard and concrete implementation in your organization.
