Certifications (ISO 9001, 27001, TISAX®)

Certifications are an important prerequisite for suppliers, service providers and other contractors to acquire customers and are almost always requested by the clients in the first contact talks. In various industries, e.g. IT services, deliveries and services of suppliers in the automotive industry, goods and services for energy suppliers, etc., certifications in quality management (ISO 9001) and in IT security (ISO 27001 and TISAX) are essential prerequisites for the to be considered and to receive the order as a supplier or service provider. The companies, organizations and institutions affected must therefore position themselves to be resilient and fit for the future. Certification in quality management and IT security are important contributions for the company to become and remain sustainable. For this reason, the strategic decisions of the management level must allocate the necessary resources to this topic and plan and implement it in the organization in good time.

Quality management according to ISO 9001

ISO 9001 defines the minimum requirements for a quality management system. The organization must meet these minimum requirements and update them regularly in a continuous improvement process (CIP). All of the company’s processes affected by the standard must be mapped in an orderly and structured manner, and the necessary process organization must be created. In the process organization, the necessary people must be named, and responsibility must be assigned and carried.

All measures for structuring the process flows are implemented according to the Plan-Do-Check-Act model (PDCA model). In the first step (PLAN) the measures are planned. In a second step (DO), the planned process flows are implemented. In step three (CONTROL), the control is carried out as to whether the implemented processes are in line with the requirements of the standard and whether the goals and requirements pursued with the implemented measures are achieved. In step four (ACT), improvements regarding the implemented measures and process flows are recorded and these are again related to the process flows and implemented. Regular internal audits must be carried out in the company. This creates a process of continuous improvement in order to raise quality management to an appropriate level and to maintain this level.

We can support you as part of the ISO 9001 certification with the following services:

  • Support in creating the documents required by the standard
  • Implementation of the process documentation in the required level of detail (process descriptions, procedural instructions, work instructions)
  • Comparison of the requirements of ISO 9001 with the company’s existing or missing QM documents
  • Development of quality management planning (process planning and process control)
  • Obligation of the management to comply with the established guidelines and quality management policy (binding quality policy and quality goals)
  • Control of the documents required by the standard (creation, testing, approval)
  • Evaluation of the company’s opportunities and risks (risk management)
  • Regular reviews by the management (management review)
  • Carrying out regular audits (system audits and process audits)
  • Creation of the required audit reports and discussions with the management and other responsible persons
  • Derivation of risk treatment measures
  • Planning and monitoring of company resources
  • Incorporation of the necessary processes and measures into the QM documentation
  • Training and raising awareness among employees on the issues required by the standard
  • Definition of quality objectives in accordance with the quality policy
  • Assignment of responsible persons, goals to be achieved with target date and definition of parameters for measuring the achievement of goals (indicators)
  • Selection of the certifying body (TÜV, DEKRA, etc.)
  • Review of the agenda of the auditor of the certification body and support of the certification audit
  • Preparation and monitoring of the regular surveillance audits of the certification body
  • Preparation and monitoring of the re-certification audit

IT security according to ISO 27001

The international standard ISO 27001 regulates information security in private, public or non-profit organizations. It describes the requirements for setting up, implementing, operating and optimizing a documented information security management system (ISMS). Like other current management standards, DIN ISO IEC 27001 is based on the High Level Structure (HLS). This high-level structure has a structure that is the same for all new standards for management systems (e.g. ISO 9001 or ISO 14001).

ISO/IEC 27001 is intended to be applicable to various areas, in particular for formulating requirements and objectives for information security. In addition to the management system-oriented requirements section (chapters 4 to 10), the ISO standard in Annex A contains a comprehensive list of 35 measure targets (controls) over 14 chapters with 114 concrete measures for a wide variety of security aspects. Each topic is related to one or more goals (second level). With the achievement of these goals, the topic is considered “fulfilled”. In order to achieve fulfillment, each goal is now in turn described by a further number of controls (third level).

Another important point is the Statement of Applicability (SoA). The SoA is the essential link between the risk assessment and treatment and the information security measures of the company. The SoA specifies which of the 114 proposed safeguards from Appendix A of ISO 27001 are to be applied. Furthermore, it is determined how the selected measures are implemented in the company. If the contents of the SoA are not adequately described, the commissioned certification body will not issue a certificate.

We can support you as part of the ISO 27001 certification with the following services:

  • Development of a software-supported IT security management system (ISMS), e.g. B. via the ISMS software verinice, fuentis, etc.
  • Breakdown of the organization of the company (e.g. through an organizational chart)
  • Definition of the scope of the ISMS
  • Preparation of the Statement of Applicability (SoA)
  • Environment analysis to classify the ISMS
  • Preparation of the requirements analysis for the various interest groups
  • Recording of the relevant legal, regulatory and contractual requirements that have an impact on the information security strategy and the ISMS
  • Definition of the business goals and requirements related to the information security policy in the company
  • Definition of the information security strategy
  • Determination of the responsible people in top management (regulation of responsibilities) who control the ISMS and decide on the company’s resources
  • Creation of the necessary information guidelines (Information Security Policy)
  • Introduction of a documented risk assessment process
  • Implementation of a documented risk assessment process
  • Implementation of a documented risk treatment process
  • Definition of security goals in the company
  • Creation of a communication plan in the company to support information security
  • Provision of the necessary people and infrastructure for the implementation and control of the ISMS (personnel and budget planning)
  • Overview of all relevant company resources
  • Strategy for handling documented information
  • Set up a role description of the affected employees in the scope of the ISMS (ISB, CISO, DSB)
  • Implementation of regular training courses in relation to the ISMS and documented concept to increase awareness and convey the content
  • Documentation of training content and evidence of employee participation, compulsory training
  • Definition of a procedure for internal and external communication
  • Documentation for the correct execution of the ISMS processes, control of the ISMS and performance measurement via defined KPIs (Key Performance Indicators)
  • Creation of the necessary management reports for escalation
  • Implementation and documentation of regular audits (audit programs and audit results
  • Establishment of an Incident Response Plan (IRP), including required up-to-date contact lists and escalation plans
  • Documentation of rules of conduct with regard to security-related irregularities, process descriptions and work instructions for preserving evidence
  • Creation of reports on security incidents, discussion with management and derivation of measures to close IT security gaps
  • Documentation on the nature of non-conformities (deviations) and on the actions taken in relation to corrective countermeasures and their results
  • Selection of the certifying body (TÜV, DEKRA, etc.)
  • Review of the agenda of the auditor of the certification body and support of the certification audit
  • Preparation and monitoring of the regular surveillance audits of the certification body
  • Preparation and monitoring of the re-certification audit


TISAX® (Trusted Information Security Exchange – registered trademark of the ENX Association) is a standard developed by the automotive industry. This standard describes appropriate protective measures for information security that are stored in the VDA Information Security Assessment (ISA) catalogue.

Many car manufacturers are asking their suppliers to set up and sustainably maintain an ISMS in accordance with VDA-ISA. The existing VDA-ISA catalog was derived from the international standard ISO 27001. This standard and ISO 27017 for cloud security are therefore the basis for an information security management system (ISMS) in the automotive industry and for its suppliers.

The TISAX® certification takes place in three steps:

  • Registration (collecting information about the company to be certified and what should be part of the exam)
  • Exam (passing through the exams of the TISAX® audit service provider)
  • Exchange (sharing the results with the partner)

The audit scope must be defined with the TISAX® audit service provider so that the scope of the information security audit is clear and can be prepared accordingly. The active participant in the certification process (supplier) must select the test scope. The standard scope and the custom scope (adapted scope to choose from) are available here. With the custom scope, you can choose between a restricted scope and an extended scope. Almost all TISAX® participants choose the standard scope.

There are currently eight TISAX® assessment objectives. At least one assessment objective must be selected by the TISAX® participant. However, several can also be selected. The test objective forms the benchmark for the information security management system of the TISAX® participant. The assessment objective is a crucial input for the TISAX® process. All TISAX® audit service providers base their audit strategy primarily on the audit objective.

We can support you as part of the TISAX® certification with the following services:

  • Support of the TISAX® participant in the three steps “registration, examination and exchange”
  • Definition and tailoring of the test scope (standard scope or custom scope)
  • Examination of the TISAX® conditions of participation
  • Support in defining the assessment objectives that the information security management system of the TISAX® participant must fulfil
  • Support for self-assessment based on the ISA document (assessment procedure)
  • Selection of the criteria catalogues, in particular support for information security content
  • Evaluation of the level of maturity for the information security management system (ISMS)
  • Assistance in analyzing and interpreting the self-assessment
  • Determination of whether the TISAX® participant is ready for the TISAX® assessment process or not (deviations between the target maturity level and the maturity level of the TISAX® participant)
  • Discussion of the maturity matrix of the TISAX® participant
  • Selection of the TISAX® audit service provider
  • Checking the offers of the TISAX® audit service providers
  • Support that the Information Security Management System (ISMS) conforms to the requirements of the standard
  • Assistance with the TISAX® assessment process (initial assessment, action plan assessment, follow-up assessment)
  • Analysis of the findings of the TISAX® audit service provider (observation, identified potential for improvement, minor deviation, major deviation)
  • Support in eliminating major and minor nonconformities
  • Creation of an action plan (corrective action plan)
  • Support in exchanging the assessment result of the TISAX® audit service provider via the ENX portal (sharing level)

If you have any questions on these topics, please do not hesitate to contact us using the contact details provided.