What exactly is examined during ISO 27001 certification?

There are many myths surrounding this question. Many believe that “IT security” is audited. Others think that compliance is put through its paces – in terms of information security. And still others think a product or service would be certified. And organizations could show that after receiving the certificate, the product XYZ was ISO 27001 certified. In other words, the certification is simply a marketing tool for audited companies to advertise on their own website. All this is not correct!

What exactly is tested?

The object of the certification audit is actually the processes within an organization with regard to the requirements of the ISO 27001 standard. In doing so, the auditor examines whether the standard requirements have been implemented appropriately within the organization under examination.

If this is the case and the company receives the coveted certificate, the first good preconditions have been created for the organization to adequately manage the essential topic of information security. And is thus in a position, with the procedures in place, to guarantee an appropriate level of information security for the data processed.

What is NOT audited?

The certification audit explicitly does not address the question of whether the products and services offered by the organization and the information processed with them are actually secure – although this is a widespread (mis)perception in the market.

Instead, what is audited is the organization’s (or part of it) approach to the standard requirements.

Does an ISO 27001 certificate guarantee an appropriate level of information security?

This question can be answered with “yes” if the certification audit is carried out seriously. Does the certified organization always produce secure products and services per se? However, this statement cannot be made solely on the basis of an ISO 27001 certificate. The same applies to quality management, where an ISO 9001 certificate also does not per se mean that the certified organization always produces high-quality products.


In summary, organizations with an ISO 27001 certificate demonstrate their methodical approach to their information security – not a specific level of information security.

Do you have further questions?

TEN Information Management’s information and IT security experts are happy to help.

More articles

Are you already familiar with our SCOD consulting service? SCOD stands for Security Consultant on Demand – and for being available to you at short notice at any time for all your information security questions....
How does the technology behind Watchdog by TEN IM actually work? Answer: we use Wazuh, one of the leading SIEM platforms on the market. Wazuh is an open source security platform designed to help companies...
If we closely review the ISO 27001:2013 standard or the draft of the new 27001:2022, we see that the terms penetration testing and vulnerability scanning are not explicitly mentioned either as requirements or as a...