Advantage Through Knowledge and Experience
More topics: OT Security TISAX CADIS ISO 27701 ISO 22301 NIS2
DE EN
Home › ISO 27001 Consulting
ISO 27001 · DACH Region & International · 2026

ISO 27001 Consulting –
Your ISMS. Certified. Secure.

CONSUVATION GmbH guides you from the first step through to certification according to ISO/IEC 27001:2022 – and beyond. With more than 25 years of ISMS experience, our own correlation matrix, and 100% senior consultants. For the DACH region and international clients.

25+Years of ISO Experience
93Controls in ISO 27001:2022
BS 7799First Certified Auditors
Free Initial Consultation → View ISO 27001 Overview
ISO 27001:2022 certified
BS 7799 – first auditors in Germany
TISAX · CADIS · NIS2
100% senior consultants
DACH region & international
Proprietary correlation matrix

Quick Check

Does Your Company Need ISO 27001?

Find out in 30 seconds whether and why ISO 27001 is relevant for your company – free & without registration.

ISO 27001 Relevance Check

Based on ISO/IEC 27001:2022 As of: June 2026 Reviewed by CONSUVATION experts

At a Glance

What Is ISO 27001?

ISO/IEC 27001 is the world's leading standard for information security management systems (ISMS). It defines how companies systematically manage, monitor and continually improve information security.

The current version ISO 27001:2022 introduces 93 controls across 4 themes (instead of 114 in 14 categories) and new focus areas such as cloud security, threat intelligence and data masking.

ISO 27001 is the foundation for all other standards – TISAX, CADIS, NIS2 and IEC 62443 build upon it or reference it directly.

🏆 CONSUVATION – Pioneers Since BS 7799

Our consultants were among the first certified BS 7799 auditors in Germany – the direct precursor to ISO 27001. This foundational expertise combined with current practice makes us one of the most experienced ISO 27001 consulting firms in the DACH region.

ISO 27001:2022 – Annex A

The 4 Themes with 93 Controls

ISO 27001:2022 fundamentally revised the controls. Instead of 114 controls in 14 categories, there are now 93 controls across 4 clearly structured themes – including 11 new controls.

Theme 5

Organisational Controls

Information security policies, roles & responsibilities, threat intelligence, information security in projects, cloud usage, business continuity and more.

37 Controls

Theme 6

People Controls

Screening of employees, information security awareness, training, disciplinary processes, confidentiality agreements and remote working.

8 Controls

Theme 7

Physical Controls

Physical security perimeters, offices & facilities, physical security monitoring, protection against physical threats, working in secure areas, clear desk & screen.

14 Controls

Theme 8

Technological Controls

Endpoint security, privileged access, cryptography, secure software development, data masking, data leakage prevention, monitoring, web filtering and more – including all new controls.

34 Controls
11
New Controls
New in ISO 27001:2022: Threat Intelligence, ICT Readiness for Business Continuity, Physical Security Monitoring, Configuration Management, Information Deletion, Data Masking, Data Leakage Prevention, Monitoring Activities, Web Filtering, Secure Coding, Cloud Service Security.

Our Approach

From Gap Analysis to Certification

Structured, predictable and without surprises – our proven approach guides you reliably to ISO 27001 certification.

01

Initial Consultation & Scoping

Free initial consultation, defining the scope, identifying stakeholders, creating a project plan.

02

Gap Analysis

Current-state assessment, comparison with ISO 27001:2022 requirements, identifying gaps, prioritising a measures plan.

03

ISMS Build-Up

Implementing policies, processes and controls. Risk analysis, Statement of Applicability, documentation.

04

Internal Audit

Conducting an internal audit, management review, resolving nonconformities, checking audit readiness.

05

Certification Audit

Stage 1 & Stage 2 audit by an accredited certification body, supported by CONSUVATION consultants.

06

Operation & Monitoring

Ongoing operation of the ISMS, support for surveillance audits, ensuring continuous improvement.

ISO 27001 & Other Standards

How ISO 27001 Relates to Other Standards

ISO 27001 is the foundation – all other relevant standards build upon it or reference it directly. Companies that already have ISO 27001 have completed most of the work.

ISO 27001 → TISAX ISA

TISAX is based directly on ISO 27001 Annex A. Companies that already have ISO 27001 reach TISAX with significantly less effort. TISAX ISA now also covers OT availability of production facilities.

AutomotiveVDAOT

ISO 27001 → IEC 62443

IEC 62443 specialises ISO 27001 for industrial control systems (OT). Implemented together, they create a complete ISMS with technical OT depth for SCADA, PLCs and DCS.

OT SecuritySCADAIndustry

ISO 27001 → CADIS

CADIS Module 1 is based entirely on ISO 27001. Companies certified to ISO 27001 have already fulfilled the most important CADIS module. CONSUVATION guides you through both standards in a single project.

DefenceDEKRA14 Modules

ISO 27001 → NIS2

NIS2 requires appropriate cybersecurity measures – without prescribing specific tools. ISO 27001 is the internationally recognised evidence of NIS2 compliance and is considered "best practice".

NIS2Critical InfrastructureBSI

ISO 27001 → GDPR

ISO 27001 directly addresses the technical and organisational measures required under Art. 32 GDPR. An ISO 27001 ISMS provides evidence of appropriate data security to supervisory authorities.

GDPRArt. 32TOMs

ISO 27001 → BSI IT-Grundschutz

BSI IT-Grundschutz and ISO 27001 are aligned with one another. Many authorities and critical infrastructure operators combine both frameworks. CONSUVATION is familiar with both approaches and integrates them efficiently.

BSICritical InfrastructureAuthorities

ISO 27001 → ISO 27005

ISO 27001 requires a risk assessment but does not prescribe a methodology. ISO 27005 provides exactly that – tailored specifically to information security and, in its current 2022 edition, closely aligned with the terminology and risk framework of ISO 31000. It is the methodological link between the ISMS requirement and generic risk management.

ISO 27005:2022ISO 31000Risk Methodology

Core Requirements

What ISO 27001 Requires of You

ISO 27001 is a management system – it's not just about technology, but about processes, people and organisation.

Clause 4

Context of the Organisation

Identify internal & external issues, define the scope, understand stakeholders and their requirements.

Clause 6

Risk Assessment & Treatment

Identify, assess and treat information security risks. Create and maintain a Statement of Applicability (SoA). Methodologically, we rely on ISO 27005 – aligned with the risk framework of ISO 31000.

Clause 7

Support & Documentation

Provide resources, ensure competence, create awareness, regulate communication and maintain ISMS documentation.

Clause 9

Monitoring & Management Review

Measure ISMS performance, conduct internal audits, hold management reviews and evaluate metrics.

Clause 10

Continual Improvement

Resolve nonconformities, implement corrective actions and systematically develop the ISMS further.

Annex A

Implementing 93 Controls

Select the relevant controls from 93 options, justify them in the SoA and implement them verifiably – both technically and organisationally.

Implementation Checklist

ISO 27001 – What Do You Need to Implement?

📋 Organisational Measures

  • 🏛️Define and document the ISMS scope
  • 📜Adopt an information security policy
  • 👤Define roles & responsibilities (CISO, information security officer)
  • 🔍Create a risk assessment & risk treatment plan
  • 📋Create a Statement of Applicability (SoA)
  • 🎓Introduce a training and awareness programme
  • 🔄Establish an internal audit programme
  • 📊Conduct regular management reviews

🔧 Technical & Operational Measures

  • 🔐Introduce access and authorisation management
  • 🛡️Ensure endpoint security and patch management
  • 🔒Implement a cryptography policy
  • 💾Create a backup and recovery concept
  • 📡Set up logging, monitoring and anomaly detection
  • 🚨Define and test an incident response process
  • ☁️Create a cloud security concept per A.5.23
  • 🔗Introduce supplier and third-party management

Services

ISO 27001 Consulting From a Single Source

From gap analysis to certification support – everything from a single source, with senior consultants and our own correlation matrix.

01

ISO 27001 Gap Analysis

Systematic comparison of current state vs. target state against ISO/IEC 27001:2022: what exists, what's missing, what needs to be prioritised – clearly documented with a measures plan.

ISO 27001:2022Annex A

02

ISMS Setup & Implementation

Complete ISMS build-up according to ISO 27001: policies, processes, risk assessment, Statement of Applicability, control implementation and documentation.

ISMSSoARisk Assessment

03

Audit Preparation & Support

Preparation for Stage 1 and Stage 2 audits: pre-audit, closing gaps, document review and support during the certification audit.

Stage 1 & 2Certification

04

Transition to ISO 27001:2022

Transitioning from ISO 27001:2013 to 2022: delta analysis, integrating new controls, updating the SoA – for companies with existing certification.

2013 → 2022Migration

05

Internal Audit & Management Review

Conducting internal audits according to ISO 19011, management review preparation, nonconformity management and continual improvement documentation.

Internal AuditISO 19011

06

ISMS for NIS2, TISAX & CADIS

ISO 27001 as the foundation for all other standards: NIS2, TISAX ISA, CADIS, IEC 62443 and BSI Grundschutz in one integrated ISMS project – maximum synergies.

NIS2TISAXCADIS

07

Training & Awareness

ISO 27001 training for all levels: basics for employees, ISMS training for information security officers, management briefings, and executive training for NIS2 (§ 38 BSIG).

Awareness§ 38 BSIG

08

Ongoing ISMS Operation & Support

Ongoing support for ISMS operations: surveillance audit support, policy updates, risk reviews and continual improvement.

Continual ImprovementSurveillance Audit

Frequently Asked Questions

ISO 27001 – Frequently Asked Questions

What is ISO 27001?
ISO/IEC 27001 is the international standard for information security management systems (ISMS). It defines requirements for establishing, implementing, operating and continually improving an ISMS – and is the foundation for TISAX, CADIS, NIS2 and many other standards.
What changed with ISO 27001:2022?
The new version introduces 93 instead of 114 controls, structured into 4 instead of 14 categories. 11 new controls were added – including threat intelligence, cloud security, data masking and secure coding. Existing certifications had to transition by October 2025.
How long does ISO 27001 certification take?
Depending on company size and starting point, typically 6 to 18 months. With an experienced consultant and CONSUVATION's structured approach, this timeframe can be significantly shortened – especially if related standards (TISAX, NIS2) have already been implemented.
What is the relationship between ISO 27001 and NIS2?
NIS2 requires appropriate cybersecurity measures but does not prescribe specific tools. ISO 27001 is the internationally recognised "best practice" evidence for NIS2 compliance. Companies with ISO 27001 can demonstrate NIS2 requirements very efficiently.
What is the difference between ISO 27001 and IEC 62443?
ISO 27001 addresses overall information security. IEC 62443 specialises in industrial control systems (OT – SCADA, PLCs, DCS). Both complement each other: ISO 27001 as the ISMS foundation, IEC 62443 for OT depth. CONSUVATION implements both standards in one integrated project.
Do I have to get ISO 27001 certified?
Certification is not legally mandatory – but is often required by customers, OEMs or authorities. NIS2 and TISAX don't require formal ISO 27001 certification but recommend following the ISO 27001 approach. CADIS explicitly requires an ISMS according to ISO 27001.
What methodology should I use for the ISO 27001 risk assessment?
ISO 27001 requires a risk assessment but does not prescribe a specific methodology. ISO 27005 provides the risk management process tailored specifically to information security and, in its current 2022 edition, is closely aligned with the generic risk framework of ISO 31000. CONSUVATION implements this methodology in a structured way within your ISMS.

Our ISO 27001 Solutions

A Complete Solution for Every Company Size

Project plan, process models, training portal, dashboard and an external information security officer – all from a single source. Scalable for small, mid-sized and large companies.

The 5 Building Blocks of Our Complete ISO 27001 Solution

🏛️

ISO 27001 Management System

Foundation & Governance

📋

Process Model & Policies

All 93 Controls

🎓

Training Portal

DE & EN, with Test

📊

ISMS Dashboard

Operations & Governance

👤

External ISO

Remote + Optional On-Site

Small Companies · Up to 50 Employees

ISO 27001 STARTER

Entry-level solution for small companies. Includes all essential building blocks for an initial ISO 27001 certification – pragmatic, fast and cost-efficient.

  • ISO 27001 management system
  • Process model & core policies
  • E-learning training portal
  • Gap analysis & risk assessment
  • Remote support through to audit
Request package →
RECOMMENDED Mid-Sized · 50–250 Employees

ISO 27001 PROFESSIONAL

Complete ISO 27001 solution for mid-sized companies – including training portal, dashboard and an external information security officer on demand.

  • All STARTER services
  • Complete policy model (93 controls)
  • ISMS dashboard & operations management
  • External information security officer (remote)
  • Audit support Stage 1 & 2
  • Internal audit & management review
Request package →
Large Companies · 250+ Employees

ISO 27001 ENTERPRISE

Maximum solution for complex organisations – with an individual project structure plan, on-site support and integration with TISAX, CADIS or NIS2.

  • All PROFESSIONAL services
  • Individual project structure plan
  • External information security officer (remote + on-site)
  • Integration with TISAX / CADIS / NIS2
  • Correlation matrix-driven gap analysis
  • Ongoing operation & surveillance audits
Request package →

All packages include an individual project plan and are tailored to your company. Remote support included – on-site appointments available on request. Schedule a consultation now →

Our Expertise

Pioneers Since BS 7799 – Experience That Counts

CONSUVATION exclusively employs senior consultants. With more than 25 years of experience in information security, we are one of the most experienced ISO 27001 consulting firms in the DACH region.

Our experts were among the first certified BS 7799 auditors – the direct precursor to today's ISO 27001. They combine this foundational expertise with current practical experience in ISO 27001:2022, TISAX ISA, CADIS and NIS2.

As active ISO working group members, we bring insider knowledge that flows directly into your ISMS implementation.

Our Tool: ISO 27001 Correlation Matrix

CONSUVATION has developed its own correlation matrix for ISO 27001 requirements, which maps all relevant standards – ISO 27001, IEC 62443, TISAX ISA, CADIS, NIS2 and BSI Grundschutz. This allows us to identify synergies immediately and create a complete gap analysis in the shortest possible time – without duplicate work and with maximum standards coverage.

25+
Years of Experience
BS 7799
First ISO Auditors
ISO
Working Group Members
100%
Senior Consultants

ISO/IEC 27001:2022

Certified consultants & auditors – from gap analysis through to certification audit support

CISA · CISM · CRISC · CGEIT

The most renowned ISACA certifications – from IT audit to IT governance and risk management

TISAX ISA · CADIS · NIS2

Integrated ISMS implementation for all standards built upon ISO 27001 – in one project, without duplicate work

BS 7799 – First Auditors in Germany

Over 25 years of experience since the beginnings of BS 7799 – the precursor to ISO 27001

Get Started Now

Ready for Your ISO 27001 ISMS?

Get advice from an experienced CONSUVATION consultant – free, no obligation, and no generic boilerplate.

Download ISO 27001 Checklist (PDF) Request Consultation
CONSUVATION GmbH · Tilsiter Str. 6 · D-71065 Sindelfingen, Germany · +49 (0) 7031.4181-860 · contact@consuvation.com