ISO 27001 – Why the Certification Still Surprised Us

Reaching an Important Milestone

Recently, we reached an important milestone: we became ISO 27001 certified.

To be completely honest, we did not start this process from scratch. Information security had already been an important topic for us for quite some time. Over the years, we had established many processes, policies, and ways of working that were already aligned with ISO 27001 principles. Due to the expectations of our customers and the nature of our business, structured processes, risk awareness, and clear responsibilities were not new concepts to us.

That definitely worked in our favor.

Still, it would be wrong to say that the certification process was “just a formality.”

Because it wasn’t.

Looking Beyond Existing Processes

The certification process opened our eyes in several areas. Not because we were poorly prepared – quite the opposite. But in any growing company, there are things that work well in day-to-day business without always being as clearly documented or transparent as you initially assume.

There is a difference between “this is how we have always done it” and “this is documented, traceable, and audit-ready.”

That was probably one of the biggest lessons for us.

The Value of Structure and Transparency

The process encouraged us to take a closer look at ourselves. Who owns which responsibility? Are processes documented clearly enough? Are risks assessed consistently? How do we ensure that standards are not only known but actually lived in everyday work?

The honest answer is: we were already in a good position – but not yet as structured in every area as we thought we were.

Learning from Experience

One factor that made a real difference was the support from our Spanish parent company. Their experience with information security and certifications was incredibly valuable throughout the journey. Whenever we faced questions about requirements or wondered, “Is this really sufficient?”, we could rely on experienced colleagues who had already been through similar processes. We are genuinely grateful for that support.

A Team Effort Across the Organization

At the same time, none of this would have been possible without the commitment of our team in Germany. An ISO 27001 certification cannot be achieved by a small project group quietly working in the background. Information security affects the entire organization. Processes had to be reviewed, working methods challenged, and in some cases adjusted. The fact that this worked so well was largely thanks to colleagues across the business who pragmatically embraced the process alongside their daily responsibilities.

Certification Is Not the Finish Line

And perhaps this is the most important takeaway from the past months: certification is not the finish line.

Yes, we now have the certificate, and we are proud of that achievement. But in many ways, this is only the beginning. Information security is not a one-time project that eventually gets completed. Requirements evolve, risks change, and organizations continue to grow.

That is why we do not see ISO 27001 as a box to tick, but rather as a commitment to continuous improvement.

What Comes Next: TISAX and ISO 9001

And we are not stopping here. Later this year, we will begin our TISAX assessment, another important step in strengthening our information security and meeting the expectations of customers in highly regulated and security-sensitive industries.

Looking further ahead, we will also begin our ISO 9001 certification journey at the beginning of next year. While ISO 27001 focuses on information security, ISO 9001 will help us further strengthen and formalize our quality management processes. For us, both go hand in hand: secure processes and high-quality delivery are closely connected.

Staying Open to Learning

If there is one thing we learned from this journey, it is this: being well prepared helps, staying open to learning is even more important.

Author: Christian Wagner (cwagner@knowmadmood.de)