ISO 27001 certification, simplified
Build and maintain your Information Security Management System with AI. Matproof automates risk assessments, control mapping, and evidence collection for ISO 27001:2022.
Key Features
Risk Assessment & Treatment
Automated risk identification, assessment, and treatment plans aligned to ISO 27001 Annex A controls.
Statement of Applicability
Auto-generate your SoA with justifications for each Annex A control. Keep it updated as your environment changes.
Control Implementation
Map your existing security controls to ISO 27001:2022 requirements. Identify gaps and track remediation.
Internal Audit Support
Streamline internal audits with pre-built checklists, evidence trails, and non-conformity tracking.
Continuous ISMS Monitoring
Keep your ISMS running with continuous control monitoring, management review dashboards, and improvement tracking.
Document Management
Version-controlled policies, procedures, and records. Full audit trail for every document change.
Why Matproof
ISO compliance across Germany
Find city-specific compliance guidance for your financial institution.
What is ISO 27001?
ISO/IEC 27001 is the world's most widely recognized international standard for information security management. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), the standard specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The current version, ISO/IEC 27001:2022, replaced the previous 2013 edition with updated controls reflecting the modern threat landscape.
At its core, ISO 27001 follows a risk-based approach to information security. Rather than prescribing a fixed set of technical measures, it requires organizations to systematically assess their information security risks and select appropriate controls to mitigate them. This makes the standard applicable to organizations of any size, in any industry, and at any level of digital maturity. From a 10-person startup to a multinational bank, the framework scales to fit the organization's context.
The standard is structured in two main parts. Clauses 4-10 define the management system requirements β the organizational processes for governing information security, including leadership commitment, risk assessment methodology, internal audits, and continuous improvement. Annex A provides a reference list of 93 information security controls organized across four themes: Organizational, People, Physical, and Technological. Organizations select applicable controls based on their risk assessment and document these selections in a Statement of Applicability (SoA).
ISO 27001 certification is granted by accredited certification bodies (such as TUV, BSI, or Bureau Veritas) following a successful two-stage audit. Certification is valid for three years, with annual surveillance audits to verify ongoing compliance. The standard is recognized globally and is often a prerequisite for doing business with enterprises, government entities, and regulated industries β particularly in the European financial services sector where it serves as a baseline for DORA, BAIT, and other regulatory requirements.
Who Needs ISO 27001 Certification?
ISO 27001 is relevant to any organization that handles sensitive information and wants to demonstrate a systematic approach to protecting it. While certification is voluntary, it has become a de facto requirement in many industries and business relationships. The following organizations typically pursue ISO 27001 certification:
Primary Sectors
- Financial services (banks, insurers, asset managers)
- Technology and SaaS companies
- Healthcare and life sciences
- Government and public sector contractors
- Professional services and consulting firms
- Telecommunications and energy
Business Drivers
- Customer and partner contractual requirements
- Regulatory compliance (DORA, NIS2, BAIT)
- Competitive differentiation in tenders and RFPs
- Cyber insurance requirements
- Board and investor expectations
- Supply chain security requirements
In Germany and the broader EU, ISO 27001 certification carries particular weight. Financial regulators like BaFin reference ISO 27001 as a recognized framework in their supervisory guidelines (BAIT, VAIT). Under DORA and NIS2, having an ISO 27001-certified ISMS provides a strong foundation for meeting these regulatory requirements, though additional measures are needed to fully comply. For ICT service providers serving financial institutions, ISO 27001 certification is often a non-negotiable prerequisite.
ISO 27001:2022 Key Requirements
1. Context of the Organization (Clause 4)
Organizations must understand their internal and external context, identify interested parties and their requirements, and determine the scope of the ISMS. This includes defining the boundaries and applicability of the management system, considering outsourced processes, interfaces with other organizations, and dependencies. The scope must be documented and available to interested parties.
2. Leadership and Commitment (Clause 5)
Top management must demonstrate leadership and commitment to the ISMS by establishing an information security policy, ensuring ISMS objectives are compatible with strategic direction, integrating ISMS requirements into business processes, ensuring adequate resources, and promoting continual improvement. Management must assign roles, responsibilities, and authorities for information security and ensure that the ISMS achieves its intended outcomes.
3. Risk Assessment and Treatment (Clause 6 and 8)
The risk assessment process is the cornerstone of ISO 27001. Organizations must define a risk assessment methodology, identify information security risks, analyze and evaluate those risks, and select appropriate risk treatment options. The risk treatment plan must reference controls from Annex A (or other sources) and be documented in the Statement of Applicability (SoA). Risk assessments must be repeated at planned intervals and whenever significant changes occur.
4. Annex A Controls β Organizational (37 Controls)
Organizational controls cover policies, roles and responsibilities, segregation of duties, contact with authorities, threat intelligence, information security in project management, asset management, access control policies, identity management, information classification, supplier relationships, cloud service agreements, ICT readiness for business continuity, legal and regulatory compliance, and information security reviews. New controls in 2022 include threat intelligence (A.5.7) and information security for cloud services (A.5.23).
5. Annex A Controls β People (8 Controls)
People controls address the human element of information security: screening and background verification, terms and conditions of employment, information security awareness and training, disciplinary processes, responsibilities after termination, confidentiality agreements, and remote working security. These controls recognize that people are often the weakest link in information security and require systematic management.
6. Annex A Controls β Physical (14 Controls)
Physical controls cover security perimeters, physical entry controls, securing offices and facilities, physical security monitoring, protection against environmental threats, working in secure areas, clear desk and clear screen policies, equipment siting and protection, security of assets off-premises, storage media management, supporting utilities, and cabling security. These controls protect physical infrastructure and environments where information is processed.
7. Annex A Controls β Technological (34 Controls)
Technological controls include endpoint security, privileged access management, information access restriction, secure authentication, capacity management, malware protection, vulnerability management, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, and network security. New 2022 controls include data masking (A.8.11), data leakage prevention (A.8.12), and monitoring activities (A.8.16).
8. Internal Audit and Management Review (Clauses 9-10)
Organizations must conduct internal audits at planned intervals to verify that the ISMS conforms to requirements and is effectively implemented. Management reviews must evaluate the ISMS performance, including audit results, risk assessment status, and opportunities for improvement. The continual improvement clause (10) requires organizations to address nonconformities, take corrective actions, and continually enhance the suitability, adequacy, and effectiveness of the ISMS.
Consequences of Not Having ISO 27001
While there are no direct statutory penalties for lacking ISO 27001 certification, the business and regulatory consequences can be substantial, particularly in the European financial services sector.
Financial institutions and enterprise clients increasingly require ISO 27001 as a baseline for vendor onboarding and contract renewal
Regulators like BaFin reference ISO 27001 in guidelines (BAIT). Lack of certification may trigger additional supervisory scrutiny
Cyber insurance providers increasingly offer better terms and lower premiums to ISO 27001-certified organizations
In the event of a data breach, lack of a recognized security framework can increase legal liability and regulatory fines under GDPR
Certification can also be suspended or withdrawn if an organization fails surveillance audits, does not address major nonconformities within the required timeframe, or allows the ISMS to deteriorate. Loss of certification must be disclosed to customers and partners, which can damage business relationships and market reputation. Maintaining continuous compliance is therefore essential β not just for the initial certification, but throughout the three-year cycle.
How to Get ISO 27001 Certified
ISO 27001 certification follows a structured process from initial scoping through to the certification audit. Here is a step-by-step roadmap:
- 1
Define Scope and Establish ISMS
Determine the boundaries of your ISMS β which business units, locations, systems, and processes are included. Draft the information security policy, define ISMS objectives, and secure management commitment and resources. The scope should be meaningful to your business and aligned with stakeholder expectations.
- 2
Risk Assessment and Statement of Applicability
Conduct a systematic risk assessment to identify threats, vulnerabilities, and impacts to information assets. Evaluate risks against your risk criteria and determine treatment options (mitigate, accept, transfer, avoid). Map selected controls to Annex A and document the Statement of Applicability (SoA), justifying included and excluded controls.
- 3
Implement Controls and Documentation
Implement the selected controls across all four themes (Organizational, People, Physical, Technological). Create required documentation including policies, procedures, and records. Ensure controls are operational and evidence of their effectiveness is being collected. Address both technical measures and organizational processes.
- 4
Internal Audit and Management Review
Conduct at least one full internal audit of the ISMS before the certification audit. The internal audit must cover all clauses and applicable Annex A controls. Hold a formal management review to evaluate ISMS performance, audit findings, risk assessment results, and improvement opportunities. Address all nonconformities before the external audit.
- 5
Stage 1 and Stage 2 Certification Audit
The certification audit is conducted in two stages by an accredited certification body. Stage 1 is a documentation review β the auditor assesses ISMS documentation, scope, and readiness. Stage 2 is the main audit β the auditor verifies that controls are implemented and effective through interviews, evidence review, and observation. Major nonconformities must be resolved before certification is granted.
- 6
Maintain and Improve (3-Year Cycle)
After certification, maintain the ISMS through continuous monitoring, regular risk reassessments, and annual surveillance audits (years 1 and 2). At the end of the three-year cycle, undergo a recertification audit. Use Matproof to automate evidence collection, track control effectiveness, and maintain audit readiness year-round, reducing the burden of surveillance and recertification audits.
Frequently Asked Questions about ISO 27001
What is ISO 27001?
ISO/IEC 27001 is an international standard for information security management systems (ISMS). Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a systematic approach to managing sensitive company information through risk management processes. The current version is ISO/IEC 27001:2022, which updated the 2013 edition with a restructured set of 93 controls across 4 themes.
What is the difference between ISO 27001:2013 and ISO 27001:2022?
The 2022 revision restructured Annex A controls from 114 controls across 14 domains to 93 controls across 4 themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). It also introduced 11 new controls covering areas like threat intelligence, cloud security, ICT readiness for business continuity, and data masking. Organizations certified to the 2013 version must transition to the 2022 standard by October 31, 2025.
How long does ISO 27001 certification take?
The timeline depends on organization size and maturity. A small company (under 50 employees) with some existing security practices can typically achieve certification in 3-6 months. Larger organizations may need 6-12 months. The process includes ISMS development, risk assessment, control implementation, internal audit, management review, and a two-stage external audit. Matproof's automation platform can reduce this timeline by 40-60%.
How much does ISO 27001 certification cost?
Costs depend on organization size, scope, and the certification body chosen. For a small company, expect EUR 15,000-30,000 total (including consulting, implementation, and audit fees). Medium organizations may spend EUR 30,000-80,000. The certification audit itself typically costs EUR 5,000-15,000 for small companies and EUR 15,000-40,000 for larger organizations. Annual surveillance audits cost roughly 30-50% of the initial certification audit.
Is ISO 27001 mandatory?
ISO 27001 is not legally mandated in most jurisdictions. However, it is often required by customers, partners, and regulatory frameworks. In the EU financial sector, regulators like BaFin expect financial institutions to maintain information security management aligned with recognized standards β ISO 27001 is the most commonly referenced. Many organizations include ISO 27001 certification as a prerequisite in procurement processes, particularly in financial services, healthcare, and government contracts.
What is the relationship between ISO 27001 and ISO 27002?
ISO 27001 defines the requirements for establishing, implementing, and maintaining an ISMS β it is the certifiable standard. ISO 27002 provides detailed implementation guidance for the Annex A controls referenced in ISO 27001. Think of ISO 27001 as the 'what' (requirements) and ISO 27002 as the 'how' (guidance). Only ISO 27001 can be audited and certified against; ISO 27002 is a supporting reference document.