ISO 27001 Consulting in Germany: Scope, 2022 Transition, NIS-2 Alignment

ISO/IEC 27001:2022 superseded the 2013 edition on 31 October 2022. Certified organisations had until 31 October 2025 to transition; existing 2013 certificates became invalid on that date according to the IAF MD 26 transition rule. In Germany, the standard sits inside a regulated landscape that includes the BSI IT-Grundschutz methodology, § 75c SGB V for hospitals, the new NIS-2 implementation framework and sector-specific obligations under KRITIS.

This guide describes what ISO 27001 consulting in Germany typically delivers, where the 2022 revision changed expectations, how the standard aligns with NIS-2 duties for around 29,500 affected German entities, and how an external information security officer fits into the operating model. The focus is operational: documentation that holds in an audit, evidence that maps to controls and a reporting line that survives a Stage 2 audit interview.

A typical engagement covers four work packages. The first is scope definition under clause 4: identifying internal and external issues, interested parties and the boundaries of the information security management system. In Germany, the scope statement usually references group structures, EU data residency and the relationship with parent or sister entities to satisfy auditors and customers in regulated industries.

The second package is risk assessment and treatment under clauses 6.1.2 and 6.1.3. Consultants align the methodology with the 2022 control set in Annex A. Controls are no longer numbered 1 to 114; they are grouped into 93 controls across four themes: organisational, people, physical and technological. Mapping existing controls to the new structure is part of any 2022 transition project.

The third package is documentation: information security policy under clause 5.2, statement of applicability, risk treatment plan, incident response procedure, supplier management, business continuity and the documentation required for certification. The fourth package is internal audit, management review and certification preparation. Many engagements include the appointment of an information security officer who operates the ISMS after the consultants leave. CIVAC offers this role as part of its compliance platform and Officer-as-a-Service model.

The transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 followed the IAF mandatory document MD 26. The standard text changed in two main ways. First, the management system clauses 4 to 10 received editorial updates without structural change, aligning with Annex SL conventions. Second, Annex A was rewritten to reflect ISO/IEC 27002:2022, reducing 114 controls to 93 and introducing 11 new controls.

The new controls address topics that have grown in regulatory weight: threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering and secure coding. Each of these maps onto practical questions auditors ask during Stage 2 interviews, for example: which threat feeds inform your risk picture, and how often do you reassess your cloud supplier inventory?

The transition deadline of 31 October 2025 closed the window for certifications under the 2013 edition. Organisations that missed the deadline lost their certificate and had to re-certify under 2022. Consulting projects in 2026 therefore focus less on transition and more on operating maturity: extending the ISMS scope, integrating subsidiaries, and aligning with the EU NIS-2 transposition once Germany finalises its implementation act. Audit-ready, documented, control-evidenced. The standard offers no exemptions for late adopters.

The NIS-2 Directive (EU 2022/2555) imposes risk-management duties on around 29,500 German entities once the national transposition takes effect. Article 21 of the directive lists ten minimum measures that essential and important entities must implement, ranging from risk analysis to incident handling, business continuity, supply chain security, encryption and human resources security. Each of these maps cleanly onto ISO/IEC 27001:2022 Annex A controls.

For German entities that already operate a certified ISMS, NIS-2 alignment is a matter of evidence and reporting rather than re-engineering. The 24-hour early warning and 72-hour follow-up notification requirements under Article 23 of the directive correspond to incident response and communication controls in Annex A 5.24 to 5.26. The supply chain duties in Article 21(2)(d) align with supplier relationship controls in Annex A 5.19 to 5.23.

The maximum administrative fines under NIS-2 reach EUR 10 million or 2 percent of global annual turnover for essential entities, and EUR 7 million or 1.4 percent for important entities. Personal liability of board members is explicitly anchored in Article 20. An ISO/IEC 27001 certificate does not eliminate this liability, but it documents due diligence and demonstrates the existence of governance, training and risk management structures, which auditors and supervisory authorities weigh in their assessment.

The Federal Office for Information Security (BSI) publishes the IT-Grundschutz methodology, structured in BSI Standard 200-1 (management system), 200-2 (basic, standard, core protection) and 200-3 (risk analysis). The methodology is mandatory for the federal administration and is widely adopted in the public sector, healthcare and KRITIS operators. ISO/IEC 27001 certification on the basis of IT-Grundschutz is offered by the BSI as a recognised path.

Consulting engagements that target both standards work with a unified control mapping. The IT-Grundschutz Compendium contains around 100 modules with concrete requirements that translate into Annex A evidence. The advantage is that the German Federal Office for Information Security explicitly publishes the cross-reference, reducing the documentation overhead for organisations that operate in regulated environments or in public procurement.

Hospitals fall under § 75c SGB V, which requires the implementation of state-of-the-art technical and organisational measures since 1 January 2022. The industry-specific standard B3S of the German Hospital Federation explicitly references ISO/IEC 27001 and IT-Grundschutz. Consulting projects in the healthcare sector therefore combine ISMS architecture with sector-specific evidence packages. The auditor calls, the evidence is ready. This applies to BSI re-certifications as much as to ISO Stage 2 audits.

ISO/IEC 27001:2022 does not mandate an information security officer by name, but Annex A control 5.2 requires that information security roles and responsibilities be defined and allocated. German practice and NIS-2 alignment make a designated officer the operational baseline. The choice between internal and external officer follows four criteria: availability of qualified staff, conflicts of interest, risk profile and budget.

An internal officer knows the business, is present in daily operations and uses short reporting lines. The drawback is the cost of ongoing training. ISO/IEC 27001, BSI IT-Grundschutz and supervisory practice evolve continuously. An external officer brings routine from parallel mandates, carries professional liability insurance and operates independently. The classic lead time to appointment is two to six weeks.

CIVAC reduces this lead time to two business days. The workspace holds the appointment letter, the reporting line agreement, confidentiality clauses and the supervisory notification template. The platform combines documentation, audit templates and an ISO/IEC 27001:2022 ISMS with EU data residency. Licence the workspace for your internal officers, or commission our officers. Both models satisfy Article 21 NIS-2 obligations and accelerate Stage 2 readiness. Other firms manage compliance like a filing cabinet. We run it like software.

A Stage 2 audit verifies the operating effectiveness of the ISMS. Auditors sample evidence across the 93 Annex A controls and request three categories of artefacts. The first is policy and procedure: information security policy signed by top management, supplier management policy, incident response procedure, acceptable use policy. The second is operating evidence: risk register with recent reviews, internal audit report, management review minutes, incident records.

The third and most decisive is consistency: the ability to walk from a policy statement to the evidence of operation without contradictions. Auditors test this through traceability questions, for example: show me how a risk identified six months ago has been treated, including the residual risk acceptance by the asset owner. Inconsistencies between the statement of applicability and operating practice are the most common non-conformity finding.

Documentation lives in a workspace that supports versioning, access control, timestamps and an audit trail. The CIVAC workspace is built on an ISMS certified to ISO/IEC 27001:2022, with 93 controls and EU data residency. Documents are stored in tamper-evident form, evidence is linked to controls, and the statement of applicability is generated from the live control inventory. The auditor calls, the evidence is ready. This is the operating principle that turns ISO 27001 consulting from a documentation project into a managed compliance baseline.

Certification follows a three-year cycle. Stage 1 is a documentation review. The certification body assesses whether the management system documents satisfy the standard. Stage 2 is the on-site or remote operating audit, typically two to five days for a mid-size organisation. The certificate is issued after Stage 2, provided no major non-conformities remain open.

Surveillance audits follow in years one and two, each shorter than Stage 2. Re-certification in year three repeats the Stage 2 effort. Choice of certification body matters: accreditation by DAkkS (the German national accreditation body) under the IAF mutual recognition agreement ensures the certificate is recognised internationally. For BSI Grundschutz certificates, the certification path is operated by the BSI directly, with auditors from accredited audit firms.

Consulting engagements often time the certification audit to coincide with the end of the operating period that produced 12 months of evidence. Earlier audits work as well but require careful selection of evidence to demonstrate operating effectiveness. The investment for certification of a mid-size organisation in Germany typically lies between EUR 15,000 and EUR 60,000 for the certification body fees alone, depending on scope and complexity. Consulting and internal effort sit alongside this figure.

An ISO/IEC 27001 implementation project in Germany typically runs six to twelve months for a mid-size organisation. Phase one is the gap assessment, two to four weeks, comparing existing practice against the standard. Phase two is the design and rollout of the ISMS, three to six months, including policies, procedures, risk assessment, control implementation and supplier integration. Phase three is internal audit and management review, two to four weeks. Phase four is the certification audit.

Consulting fees vary widely. A pragmatic range for the consulting component alone is EUR 40,000 to EUR 150,000, depending on scope, sites and existing maturity. Internal effort typically matches or exceeds the external spend, particularly in the documentation and evidence phases. A workspace that bundles audit templates and an officer service reduces internal effort and shortens the project duration.

CIVAC accelerates the documentation phase through 37 prepared audit templates, a control inventory aligned with the 93 Annex A controls and an established reporting line for the appointed information security officer. The dual model is straightforward: licence the workspace for your internal officers, or commission our officers. The result is a documented ISMS with a verifiable evidence base, ready for Stage 2.

ISO 27001 consulting in Germany is no longer a one-off project. The 2022 transition, the NIS-2 implementation, the BSI Grundschutz path and the supplier expectations of regulated customers turn the ISMS into a continuous operating baseline. The decision is therefore less about whether to certify and more about how to operate the management system in the years between audits.

CIVAC is a compliance platform and Officer-as-a-Service designed for this operating reality. The workspace combines documentation, audit templates and a certified ISMS with 93 controls and EU data residency. The appointment letter, supervisory notification, statement of applicability and the audit evidence pack live in one place, with version control and access governance. Licence the workspace for your internal officers, or commission our officers. The classic two-to-six-week lead time for officer appointment shrinks to two business days.

Turn reading into a mandate. Write to info@civac.de or use the contact form on civac.de. An initial call clarifies scope, transition status, NIS-2 alignment and the appointment path, and you move from consulting concept to a documented engagement within days.