ISO IEC 27001 Certification Mark

Adding value with our service portfolio

Adding value with our service portfolio


Management system certification / Voluntary assessment

Basis for Certification (certification standard):

International standard ISO IEC 27001 (requirements for Information Security Management Systems)

Standard owner:

ISO International Organization for Standardization


What does the standard ISO IEC 27001 cover?

The standard ISO IEC 27001 defines the requirements for a certifiable information security management system (ISMS) of an organisation. This includes, but is not limited to:

  • The organisation has established a suitable information security management system, including mechanisms for risk identification, self-assessment, preventive and corrective actions and continuous improvement.
  • The organisation has defined a plausible security level for the information processed by the organisation.
  • Within the scope of risk assessment and management, the organisation has identified and implemented suitable measures to ensure information security.

  • What does “certification” and/or the issue of a certification mark for ISO 27001 by TÜV SÜD Management Service GmbH mean?
    • The customer has submitted to voluntary assessment (audit) according to defined criteria (certification standard).
    • A certificate and/or the authorisation to use a certification mark is only issued if the assessment (audit) does not reveal any major nonconformities with the requirements of the certification standard.
    • The certificates and/or certification marks are valid for a restricted period of time. Interested parties can check the validity of individual certificates in the certificate database of TÜV SÜD Management Service GmbH.
    • To maintain certificate validity, the certificate holder must annually complete an announced audit with a positive result.
    • Unannounced audits are possible in specific cases.
  • How do we audit?

    Independent and qualified experts (auditors) apply the following auditing techniques:

    • Document review:
      Evaluation of the organisation’s requirements and/or documentation to ensure the systematic control of all processes relevant for information security.

    • On-site-audit:
      Verification, in the form of interviews and on-site inspection at the customer's premises, that the above requirements are effectively implemented in practice. Random on-site checks of processes based on records, such as available measurement results, minutes of meetings, training and qualification records, technical realisation, and records related to defined objectives and the resulting improvement projects.
  • What is beyond the scope of certification according to ISO 27001?
    • Certification according to ISO 27001 does not constitute product certification. Certification thus does not provide any direct statements on the quality of a product or service of the certified customer. Certification according to ISO 27001 does not mean that the company manufactures products or provides services of higher quality.
    • Certification according to ISO 27001 does not mean that a company's information / data cannot be lost, cannot be unlawfully altered or can be accessed at the right time, even though these are key objectives of the information security management system
    • A certification does not confirm that the technical and organizational measures taken by the company are functioning without errors



Management System Certification Marks

Explore here our certification marks

Learn More

Next Steps

Site Selector