essendi it GmbH has been ISO 27001 certified for almost exactly one year now. The audit was carried out by the Certification Centre Security (CCSEC certification body of Würth IT GmbH). The external ISO 27001 auditor certified the successful implementation of an Information Security Management System (ISMS) for the “IT Security and xc, IT Administration and Operations” business unit.
We asked Denis Flegel, ISB at essendi it, about the requirements, procedures and benefits of an ISMS.

"ISO 27001 enables us to improve security standards, ensure the protection of sensitive data and ultimately increase our organisation's resilience to security threats." - Denis Flegel, ISB


What is ISO 27001 and what does an ISB do?

ISO 27001 is an international standard for Information Security Management Systems (ISMS). It specifies requirements for the introduction, implementation, maintenance and continuous improvement of a documented ISMS. It aims to ensure information security in organisations by identifying and assessing risks and implementing appropriate controls to manage those risks.
An ISB, or Information Security Officer, is the interface between all internal and external departments. The ISB is responsible for ensuring that security policies are developed and implemented. As part of risk management, the ISB assesses potential security risks and their anticipated impact on the organisation.
They are often also responsible for ISO 27001 training and employee awareness.

How do you go about getting this kind of certification?

We initially tried to do the certification without a consultant. We quickly realised that although this was feasible, it required a lot of time and resources. In addition, it is initially difficult to implement and document the actions identified, as required by the external audits, without a consultant.
We therefore decided to appoint Kramer and Crew as an external service provider. This worked very well from the start. We were introduced to the ISO 27001 audit step by step.
Basically, there are four steps that need to be implemented:
1) Define the process
2) Document the process
3) Live the process
4) Prove that you live it.

What was your approach?

We first identified the requirements specified in the international standard. Again, working with the consultancy was an advantage. The standard is sometimes written in very general terms. It is therefore not always clear how to implement the requirements in practice.
The people at Kramer & Crew know the requirements of ISO 27001 inside out. They were therefore able to give us valuable advice and provide us with tailor-made templates.
The next step was to analyse the current situation of our company. We had already implemented many of the issues prior to ISO 27001 for data protection and compliance reasons and were already living the processes.
The next step was a gap analysis. We used this to identify the gaps between the target and actual status:

  • Is the level appropriate for all areas of information security?
  • What are the minimum standards?
  • Are all the audit mechanisms and information security controls in place?
  • And most importantly, is everything adequately documented?

In our case, one of the main tasks was actually to put everything in writing.

How did you organise the co-operation?

We drew up a project plan with all the outstanding issues and prioritised them. We then had a coordination meeting with Kramer & Crew every two weeks. The results were discussed and the next topics and steps were determined.

How much does it cost to become ISO 27001 certified?

Unfortunately, that is hard to say.
First of all, it depends on the size of the company. Or whether you use ISO 27001 software. And also the scope of the ISO 27001 consultancy.
There are consultancies that will do it all for you. You can buy a “complete ISO 27001 package” from them. But it is your own company that has to live the processes, not the consultant. During the certification audit at the latest, the auditor will immediately notice who has implemented the ISMS.
It is therefore better to develop the processes yourself and make them fit the organisation.
The cost of the external auditor’s audit and the ISO 27001 certificate is usually a fixed price. These may be quoted by the certification bodies.

How can you find the ideal consulting agency?

We found Kramer & Crew through a recommendation. We were looking for a pragmatic approach. Someone who would provide us with knowledge so that we would only need to call on support selectively in the medium term. My tip is to ask other companies, for example a customer or supplier with ISO 27001 certification.
There are also contact points through the BSI where companies can offer advice.
And of course you can find out more at trade fairs, such as it-sa in Nuremberg.

What advice do you have for companies considering internationally recognised quality certification?

If possible, look for a partner who has already achieved ISO or BSI baseline protection certification. Or a professional who knows exactly how to implement the required processes easily.
And the goal is important. There are always many ways to get there. It is up to you to decide which is the right one for you and your organisation.

What are the benefits of being certified?

The ISO specifies a set of measures that, for example, make it more difficult for attackers to gain unauthorised access. Processes and responsibilities must also be documented. All this can help in the event of a security incident. You will notice the attack sooner.
The mandatory emergency plan defines the procedure and security measures. So you know immediately what to do. This is a great help in a stressful situation.
You can prove that all important security policies have been followed. This means reassurance for customers and other interested parties, for example with regard to data protection, data security and the requirements of the GDPR. Certification is also becoming increasingly important as proof for tenders.

What are the next processes essendi it will deal with?

After receiving our recertification to the old standard in February, we are now due to move to ISO IEC 27001 2022. This will take place over the course of the year so that we are ready for the new standard in 2025. Many new topics have been added, particularly in the area of server administration. And the nomenclature of Annex A has changed completely, so we need to reclassify existing processes.