What exactly is examined during ISO 27001 certification?

There are many myths surrounding this question. Many believe that “IT security” is audited. Others think that compliance is put through its paces – in terms of information security. And still others think a product or service would be certified. And organizations could show that after receiving the certificate, the product XYZ was ISO 27001 certified. In other words, the certification is simply a marketing tool for audited companies to advertise on their own website. All this is not correct!

What exactly is tested?

The object of the certification audit is actually the processes within an organization with regard to the requirements of the ISO 27001 standard. In doing so, the auditor examines whether the standard requirements have been implemented appropriately within the organization under examination.

If this is the case and the company receives the coveted certificate, the first good preconditions have been created for the organization to adequately manage the essential topic of information security. And is thus in a position, with the procedures in place, to guarantee an appropriate level of information security for the data processed.

What is NOT audited?

The certification audit explicitly does not address the question of whether the products and services offered by the organization and the information processed with them are actually secure – although this is a widespread (mis)perception in the market.

Instead, what is audited is the organization’s (or part of it) approach to the standard requirements.

Does an ISO 27001 certificate guarantee an appropriate level of information security?

This question can be answered with “yes” if the certification audit is carried out seriously. Does the certified organization always produce secure products and services per se? However, this statement cannot be made solely on the basis of an ISO 27001 certificate. The same applies to quality management, where an ISO 9001 certificate also does not per se mean that the certified organization always produces high-quality products.


In summary, organizations with an ISO 27001 certificate demonstrate their methodical approach to their information security – not a specific level of information security.

Do you have further questions?

TEN Information Management’s information and IT security experts are happy to help.

More articles

The Exchange server hack from the spring of 2021, which became known as Hafnium, is spreading: numerous servers that have still not been patched are being attacked, the gap exploited, and malware installed. Many server...
ISO 27001 – Management of technical vulnerabilities The newly published ISO 27001:2022 in October 2022 brings a restructured catalogue of measures. Among other things, the new measure A.8.8 – Management of technical vulnerabilities – was...
“The cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.” (Bruce Schneier). The quote comes from the context of the LastPass breach...