Key takeaways:
- Since October 31, 2025, only ISO/IEC 27001:2022 is eligible for certification. Certificates based on the old 2013 version have lost their status.
- The path to certification realistically takes six to eighteen months and costs between 25,000 and over 120,000 euros, depending on size – excluding audit fees.
- The external audit is conducted in two stages: first the documentation (Stage 1), then the actual practice on-site (Stage 2). The certificate is then valid for three years.

Since December 2025, around 29,500 companies in Germany have been required to demonstrate that they manage information security systematically. For most, the most direct path to compliance is ISO 27001. ISMS certification according to this standard serves as externally verified proof—issued by an accredited body and valid for three years. This article outlines the process, provides realistic costs and timelines, and explains what has been in effect since the end of the 2025 transition period.
What are the benefits of ISMS certification?
ISMS certification according to ISO 27001 confirms that a company manages information security systematically, as verified by an independent, accredited body. The audit does not focus on individual firewalls, but rather on the entire management framework: scope, risk processes, measures, and their continuous improvement. The certificate is proof of governance, not a technical security certificate.
The practical benefits are most evident in sales and supply chain management. In tenders and supplier audits, the certificate shortens the discussion from "How do you secure our data?" to a single piece of evidence. Without a certificate, many customers require their own security checks – and each one costs weeks of internal preparation.
Then there is the regulatory leverage. According to the BSI , a management framework built on ISO 27001 covers NIS-2 requirements by approximately 70 to 80 percent. Once you are properly certified, you can build further compliance evidence, such as DORA or TISAX , on this foundation—instead of starting from scratch for every set of regulations. The certificate thus becomes the common foundation for multiple compliance topics.
Internally, the process also pays off. The risk analysis forces an honest assessment of the status quo—often revealing where responsibilities or documentation are lacking. The certificate is therefore less of a goal and more of a byproduct of well-organized security operations.
Who actually needs this proof?
The standard applies regardless of industry or company size. Nevertheless, it is clear who needs this proof most urgently in practice. Most affected are companies whose customers or regulators expect proof of security.
Typical cases include IT and SaaS service providers, suppliers to large corporations, and operators in regulated sectors. In the IT sector, the majority of all issued certificates are already driven by this specific customer expectation. Anyone wanting to bid in such tenders can hardly avoid certification. If this proof is missing, a provider is often eliminated during the pre-selection phase – even before price or performance are considered.
Why is demand rising in 2026?
The trigger is NIS-2. With the NIS2 Implementation Act, which has been in effect since December 6, 2025, the number of regulated entities in Germany is growing from around 4,500 to approximately 29,500. Many of these companies need structured proof of their information security for the first time – and are turning to the established standard to provide it.
At the same time, pressure from the private sector is increasing. Corporations, banks, and insurers are increasingly demanding this proof as a prerequisite for doing business. Our overview shows just how closely ISO 27001 and the new legal requirements are linked: NIS-2 obligations and their verification. The trend is clear: yesterday's competitive advantage is becoming tomorrow's entry requirement.
However, implementation is lagging behind. By the March 2026 deadline, only about 11,500 of the estimated 29,500 affected companies had registered with the BSI. More than half are behind schedule – and in 2026, this backlog will collide head-on with the already limited capacity of auditing bodies.
What is the ISMS certification process?
The path to certification follows a set pattern. There are eight steps between the initial kick-off and the issuance of the certificate:
- Gap analysis – the current state is measured against the 93 controls in Annex A and chapters 4 through 10 of the standard. The result is a prioritized action plan.
- Define the scope – which locations, processes, and systems the certificate covers. A clearly defined scope saves effort later on.
- Assess risks – information assets are identified, risks are assessed, and appropriate measures are assigned.
- Statement of Applicability (SoA) – this mandatory document records which measures apply and which are excluded with justification.
- Implement and operate – policies, roles, and technical measures are applied in day-to-day operations. Only when they are actively practiced is it worth approaching the audit body.
- Internal audit – the organization audits itself and conducts a management review before external auditors arrive.
- Stage 1 – Document review – the external auditor reviews the documentation for completeness and identifies initial gaps.
- Stage 2 – On-site audit – now the audit body checks whether practice matches the documentation: interviews, spot checks, and active processes.
If the company passes Stage 2 without any major non-conformities, the audit body recommends certification. The certificate is then valid for three years – secured by annual surveillance audits and a re-certification at the end of the cycle. You are free to choose from accredited certification bodies such as TÜV, DEKRA, or DQS. The requirements of the standard are identical everywhere, but fees and procedures vary.
Stage 1 and Stage 2 intentionally audit different things. The first appointment clarifies whether the documents are complete; the second, whether they are actually practiced in day-to-day operations. Experience shows that Stage 1 already uncovers five to twenty-five minor points that must be closed before the on-site appointment. If the audit body finds a major non-conformity, the recommendation is put on hold until it has been resolved. Document any minor deviations in a corrective action plan and address them during ongoing operations.
How much does ISMS certification cost and how long does it take?
There is no flat rate, but there are reliable ranges. Total costs are divided into two blocks: the effort required for implementation and the fees charged by the auditing body.
For preparation (internal effort plus external consulting), the following rough estimates apply:
- Small, clearly defined scope: approximately 25,000 to 50,000 euros
- Mid-sized organization: about 50,000 to 120,000 euros
- Large corporation with complex infrastructure: 150,000 euros and up
In addition, there are external auditing fees of approximately 6,000 to 35,000 euros per three-year cycle, depending on the number of employees, locations, and industry risk. The largest cost factor is almost always the internal implementation, not the audit itself.
The timeline depends on your level of maturity. A small company with solid preparatory work can complete it in four to six months. A mid-sized company without a head start needs nine to twelve months, and a corporation often longer. One factor is regularly underestimated: accredited auditing bodies are often booked out three to six months in advance – so schedule your appointment early.
You can reduce the effort. If you already have TISAX, BSI IT-Grundschutz, or SOC 2 in place, you have already covered 30 to 60 percent of the requirements. Cloud providers also handle some of the technical evidence through their own certifications – provided that responsibilities are clearly defined. Using vetted templates also saves you from having to write every policy from scratch.
What changed with the 2022 standard?
If you are still relying on figures from older guides, be careful. The frequently cited "114 controls in 14 categories" come from the 2013 version – and that is history.
Since October 31, 2025, the transition period has expired. Certificates based on ISO 27001:2013 have lost their accreditation status; in regulated industries, this is equivalent to losing your certification. Only the ISO/IEC 27001:2022 version is eligible for certification. If you missed the deadline, you will need a new initial audit instead of a simple recertification.
The content of Annex A, in particular, has been restructured:
- Instead of 114, there are now 93 controls, organized into four themes instead of fourteen: organizational (37), people (8), physical (14), and technological (34).
- Eleven controls are new and address risks that were barely a factor in 2013 – such as cloud security, threat intelligence, and data masking.
- The main section (Chapters 4 to 10) now additionally requires that planned changes be consciously managed and documented.
In practice, this means fewer but more precisely defined controls. This reduction is not a weakening – many old points have simply been consolidated.
What evidence does the audit body require?
On-site, theory is separated from practice. During the Stage 2 audit, auditors look not only at whether documents exist, but whether the underlying processes are actually being followed. The most common reason for findings is documentation that does not match reality.
For technical verification, companies need a reliable overview of their IT. This includes:
- Hardware and software inventory, including licenses
- User rights and access controls
- Proof of patch and update status
- Network diagrams and system dependencies
This is exactly where many fail when it comes to being up to date: in practice, an overview that is more than three months old is considered unreliable. And the pressure doesn't end with the certificate – every annual audit requires up-to-date data all over again. An automatically maintained IT documentation as a reliable foundation removes this recurring pressure from the process. Software-based tools like Docusnap for inventory, risk assessment, and emergency manuals provide the necessary evidence at the push of a button – instead of having to manually compile it before every audit.
ISMS certification: Which mistakes cost the most time?
Most delayed procedures can be traced back to a few patterns:
- Going to the auditor too early. If you only have processes on paper, you will receive findings during the on-site visit. Live them first, then get them audited.
- Defining the scope too broadly. An overly large scope unnecessarily extends the setup and audit process. It is better to start small and clean.
- Forgetting the auditor's capacity. If you request an appointment late, you will be waiting for months.
- Treating the Statement of Applicability as a mere formality. Anyone who marks all 93 controls as "applicable" without review will immediately stand out to any experienced auditor.
The most important practical advice: Treat the path to certification as a project in its own right – with dedicated resources and a timeline, not as a side task to your daily business.
FAQs
Audit-proof documentation without manual labor
Docusnap automatically inventories your IT and keeps your audit documentation up to date at all times. Instead of scrambling for data before every audit, you can generate reports at the push of a button. This ensures you are fully prepared for Stage 1 and Stage 2.
Test Docusnap for free now!
