BPG BPG Beratungs- und Prüfungsgesellschaft mbH
Back to the news
Server

Information security according to ISO/IEC 27001:2022: Relevance, risks, implementation

IT

Why information security is business-critical today

The importance of information security has increased significantly in recent years. In addition to the growing threat of cyber attacks, legal and contractual requirements are also gaining in importance. Companies of all sizes are increasingly required to systematically protect personal and business-critical data.

With the implementation of the NIS2 Directive, the introduction of the DORA framework in the financial sector and increasing requirements from data protection and IT security laws, regulatory pressure continues to grow.

Large companies and public bodies in particular are increasingly relying on information security management systems (ISMS) across the board, often based on the international standard ISO/IEC 27001. This results in increased requirements along the entire supply chain - a trend that is also increasingly affecting small and medium-sized enterprises (SMEs) in order to meet regulatory requirements, manage risks appropriately and maintain their competitiveness in the long term.

The role of the information security management system (ISMS)

A well-established information security management system (ISMS) increases the resilience of the entire organization - and thus secures values, processes and market positions in the long term. The “Return on Security Investment” (RoSI) thus becomes a measurable factor.

An ISMS based on the latest ISO/IEC 27001:2022 standard, for example, provides an internationally proven and recognized basis for identifying and evaluating risks in a structured manner and minimizing them through targeted measures in order to comply with legal and contractual requirements and at the same time counteract the increased threat of cyberattacks.

The security strategy is thus documented for customers, partners and authorities and is internationally recognized as proof that is already a prerequisite for access to certain tenders or industries for many organizations.

What is ISO/IEC 27001:2022?

ISO 27001:2022 is an international standard for the establishment, implementation, maintenance and continual improvement of an information security management system (ISMS). The ISMS serves to ensure the confidentiality, integrity and availability of information. The standard also addresses resistance to attacks, minimization of risks and rapid recovery after security incidents. The aim is to establish a systematic and documented approach to information security.

ISMS according to ISO/IEC 27001:2022 or IT baseline protection?

Choosing the right standard for the ISMS plays a decisive role. 
Compared to the more formalized IT baseline protection of the BSI, which is based on predefined threats and requires a high level of resources, ISO/IEC 27001:2022 offers companies significantly more flexibility: measures are selected on a risk-based and needs-based basis, taking into account the organizational circumstances, which makes economic sense for SMEs in particular: resources can be used in a targeted and efficient manner to reduce corporate risks.
The BSI's IT baseline protection is less suitable for SMEs due to the high resource requirements. In addition, ISO/IEC 27001:2022 is an internationally recognized standard that is recognized by business partners abroad.

ISO/IEC 27001:2022 - Basics and innovations

ISO/IEC 27001:2022 defines the requirements for the establishment, implementation and continuous improvement of an ISMS. The aim is to systematically ensure the confidentiality, integrity and availability of information - regardless of the industry or company size.

Scope and benefits

Due to its generic nature, the ISO/IEC 27001:2022 standard is applicable regardless of industry and size and can therefore be implemented by companies of all types and sizes. Both internal requirements, such as the protection of sensitive company data, and the requirements of external partners are met. An ISMS in accordance with ISO/IEC 27001:2022 brings numerous strategic and operational benefits:

  • Strengthening the trust of customers, partners and stakeholders through certified security.

  • Competitive advantage in tenders and contract negotiations, as certification is often not yet available in the SME sector.

  • Clear structures, processes and responsibilities for handling information that promote the secure handling of information within the company.

  • Early detection of weaknesses through systematic risk analyses and internal audits.

  • Increased resilience to cyber incidents through structured risk analyses and continuous monitoring.

  • Compliance with legal and contractual requirements, e.g. support in implementing the GDPR, industry-specific regulations or contractual requirements

  • Improved insurance conditions (e.g. for cyber insurance)

  • Business continuity in the event of a crisis

Compared to the previous version, the current edition has been fundamentally revised. The standard is now more closely aligned with other ISO management systems (e.g. ISO 9001 for quality management). The number of security measures (controls) has been reduced from 114 to 93 and divided into four subject areas:

  • Organizational measures: For example, regulations, guidelines, responsibilities that control important processes for maintaining information security in the organization.

  • Personal measures: For example, employee training and awareness, secure employee behavior when handling information, and screening new employees before hiring them.

  • Physical measures: The protection of physical access to information and IT systems, for example through access controls and the monitoring and securing of buildings.

  • Technological measures: For example, system-side access controls, encryption measures, network security and backup strategies.

This structure facilitates the systematic development of an ISMS and promotes a practice-oriented implementation that is geared towards the individual needs and objectives of the organization and its security requirements, organizational processes, size and structure. This makes it possible to exclude individual security measures (controls) from consideration when adapting to individual needs: For example, the technological measures include 7 controls that deal with software development. However, as many organizations do not develop their own software, these security measures (controls) can be excluded from consideration without any restrictions with regard to the desired certification.

Typical challenges on the way to certification

In practice, many organizations need support at similar points during implementation:

  • There is no structured risk analysis or the existing analysis was incomplete.

  • A documented ISMS structure is missing or is not comprehensibly structured.

  • Roles and responsibilities in the area of information security are not clearly defined and documented.

  • There are no ongoing measures to raise employee awareness of security-related issues.

  • External partners or service providers are not systematically integrated into the ISMS.

Conclusion

An information security management system (ISMS) in accordance with ISO/IEC 27001:2022 is far more than a purely technical measure or an exclusive IT matter - it is a strategic tool for minimizing risks, creating trust and additionally safeguarding the company's ability to act and its continued existence. A systematic approach to information security not only strengthens IT, but also the entire organization.
For SMEs in particular, the ISO/IEC 27001:2022 standard offers a scalable framework for achieving a high level of security and compliance with manageable effort. The key is to gain clarity at an early stage, define realistic goals - and provide consistent and appropriate support during the implementation process.

Resource management for setting up an ISMS - internal or external?

Information security requires accountability - but not every company can provide internal resources on a permanent basis to develop an ISMS independently and maintain it effectively in the long term. Medium-sized companies in particular often lack the personnel capacity or specialized knowledge. An external information security officer (ISO) can be an economically viable solution here. They not only bring specialist expertise and project experience, but also a neutral view of internal processes. Having supported several companies in different sectors, an external information security officer (ISO) is familiar with typical pitfalls and can introduce tried-and-tested procedures - individually tailored to the requirements of the respective organization.

The first step towards an ISMS: GAP analysis according to ISO/IEC 27001:2022

A structured GAP analysis is a proven way to start setting up an ISMS. It shows in which areas the organization is already compliant with the standard and in which areas there is a need for action. The result is a structured action plan that serves as a roadmap for setting up an effective ISMS in preparation for possible certification.

  • Identification of gaps compared to the standard

  • Reduction of implementation costs through targeted planning & prioritization

  • Reduction of certification risks through early corrective action

  • Identification of weaknesses before an official certification audit

On this basis, an individually coordinated action plan is created, which serves as a guideline for the further development of an effective ISMS. In many cases, such an analysis is the most efficient way to identify specific areas for action, strengthen information security and prepare the organization for possible certification.

Our Offering

As an experienced partner in the field of information security, IT consulting and IT auditing, we provide you with needs-based support during implementation:

  • Inventory, evaluation and optimization of existing processes

  • Carrying out a GAP analysis in accordance with ISO/IEC 27001:2022

  • Advice, design and project support for setting up an ISMS

  • Assuming the role of external information security officer (ISB)

We would be happy to provide you with an individual offer tailored to your requirements. 
Get in touch with us!

Authors

Christian Maruhn

Further interesting topics

Advisory

Recognizing financial risks: Scope of financial due diligence

As part of a financial due diligence (FDD), the precise definition of the scope of the investigation and the identification of key areas of analysis are of crucial importance.
Advisory

Crowe advises 1Q Health on the acquisition of a majority stake in VivaCell

Crowe advised 1Q Health Group (“1Q Health”), a portfolio company of NORD Holding in the field of CDMO for food supplements and pharmaceuticals, on the acquisition of VivaCell Biotechnology GmbH (“VivaCell”), a German contract research organization.
Advisory

Crowe advises Wellma on merger with PlantaCorp

Wellma, a portfolio company of Swedish company builder Systematic Growth, joins forces with PlantaCorp - a German-based private label and contract manufacturer of liposomal nutritional supplements.
Advisory

Crowe BPG advises PINOVA on investment in Asutec GmbH

Funds advised by PINOVA Capital GmbH (“PINOVA”) have acquired a majority stake in Asutec GmbH (“Asutec”), based in Nürtingen, Germany.
Advisory

Crowe BPG advises NORD Holding Small Cap in connection with its majority stake in MedXpert GmbH

Crowe BPG advised the NORD Holding Small Cap Fund on the acquisition of a majority stake in MedXpert GmbH, based in Eschbach, in the context of a corporate succession. NORD Holding with its...
Advisory

Crowe supports Hannover Finanz in its investment in cybersecurity specialist 8com

Crowe has supported Hannover Finanz (HF Equity), an equity partner for medium-sized family businesses in the DACH region, in its investment in 8com GmbH & Co. KG, a fast-growing managed security services...
Cookie-Settings