ISO basic certificate: Your roadmap to certification
Valid until 28. Mai 2026 20:53
1. The company
Entering the basic company data on your certification platform is a key step on the way to ISO certification. This includes analysing the company environment. Previously, this was complex and meant weeks of work. That's a thing of the past! Our AI assistant has already created the necessary basics for you.
|
Description of the company, the market and the information security requirements | Documentation created |
|
The scope of application of this management system | Documentation created |
|
The quality promise of our company / organisation | Documentation created |
|
Our information security policy | Documentation created |
Companies / interest groups
Analysing interest groups and their influence is one of the fundamental requirements of ISO standards. We have compiled a list of the interest groups relevant to us.
|
The interests of our existing customers in the area of quality and information security | Documentation created |
|
The interests of our potential new customers in the area of quality and information security | Documentation created |
|
The interests of the owners in the area of quality and information security | Documentation created |
|
The interests of our employees in the area of quality and information security | Documentation created |
|
The interests of our suppliers, service providers and partners in the area of quality and information security | Documentation created |
|
The interests of authorities and public administration in the area of quality and information security | Documentation created |
|
The interests of insurance companies in the area of quality and information security | Documentation created |
Company / Management
Our managers are committed to consistently implementing the principles of ISO 9001 (quality management) and ISO 27001 (information security management) in their daily work.
The management principles of our organisation listed here include
- Responsibility for quality: managers promote reliable and efficient processes to ensure high-quality results.
- Ensuring information security: Managers ensure the confidentiality, integrity and availability of information by adhering to proven security standards.
Our management principles are essential for our commitment to quality and information security. They form the basis for responsible and exemplary management behaviour in our organisation.
|
Management's responsibility for quality and information security | Documentation created |
|
Definition of objectives for quality and information security | Documentation created |
|
Integration of quality and information security management into our business processes | Documentation created |
|
Commitment to the continuous improvement of our services | Documentation created |
|
Obligation to support employees | Documentation created |
|
Responsibility for developing the skills of employees | Documentation created |
|
We actively address the risks and opportunities of our business activities | Documentation created |
|
We monitor the results of our business activities | Documentation created |
|
We provide the necessary resources to fulfil our obligations | Documentation created |
|
Creation and maintenance of guidelines | Documentation created |
|
Managers undertake to comply with standards, regulations and laws | Documentation created |
|
Managers create awareness among employees | Documentation created |
Company / Inventory
This inventory list provides a comprehensive overview of the tools, software applications and IT infrastructure used in the course of our work. It includes both locally installed and cloud-based tools and systems that are required to perform our professional tasks.
Wherever necessary and appropriate, this overview contains information on where detailed lists of devices and applications are stored, as well as information on who is responsible for managing passwords and access.
It is important to emphasise that security-critical passwords or access information are not included in this list. These are stored in specially secured applications in order to meet the highest security standards and ensure the protection of sensitive data.
|
We use smartphones | Documentation created |
|
We use laptops | Documentation created |
|
Office software (e.g. Microsoft Office, Google Workspace) | Documentation created |
|
Use of cloud-based industry-specific software | Documentation created |
|
Business management software | Documentation created |
|
We use our own servers in the data centre of a service provider | Documentation created |
|
We use local networks (WLAN, LAN etc.) | Documentation created |
Handbook
This quality manual describes how we as a company implement the requirements of ISO 9001 in our organisation. It serves as a central basis for our quality management and supports us in systematically controlling and continuously improving our processes. The contents are based on the chapters of the standard and demonstrate our practical application in day-to-day operations. Our aim is to ensure the sustainable quality of our services and guarantee the long-term satisfaction of our customers.
Statement of Applicability
The Statement of Applicability (SoA) is one of the central documents within the framework of ISO/IEC 27001. It sets out which measures from Annex A of the standard are relevant for the organisation and how they are implemented. It therefore forms the basis for the planning, management and review of information security measures. The declaration of applicability creates transparency for internal and external stakeholders and serves as proof of the effective implementation of the information security management system. It is therefore a key management tool for ensuring the protection of information in a systematic and comprehensible manner.
Company / Classification
In this list, we record all information that we process as part of our business activities. The classification is based on the following criteria:
- Legal requirements, documenting which legal requirements apply to the information in question;
- Value of the information, which assesses the significance of the information for business success;
- Importance, which describes how relevant the information is for ongoing business operations;
- Sensitivity, which records how vulnerable the information is to unauthorised disclosure or modification.
Systematic recording helps us to maintain an overview of the information used, adapt security measures and efficiently implement legal requirements.
2. Goals
Entering and editing your goals is an important step in setting your direction and documenting your progress. This is also very simple, as the goals you have given us in the questionnaire have already been created.
|
Our quality goal: We want to increase the number of new customers | Documentation created |
|
Our quality goal: We want to increase our efficiency in processes and procedures | Documentation created |
|
Our quality objective: We want to achieve a high level of customer satisfaction | Documentation created |
|
Our quality goal: We strive for a continuously low number of errors | Documentation created |
|
Our goal: We want to ensure our customers' trust in our information security | Documentation created |
|
Our goal: Raising the standard for information security in the company | Documentation created |
|
Our goal: professionally manage information security risks | Documentation created |
|
Our goal: Raising awareness of information security | Documentation created |
|
Our goal: to ensure an immediate response in the event of incidents | Documentation created |
|
Our goal: Ensure compliance with legal requirements and conditions | Documentation created |
|
Our goal: Avoid security and data protection incidents | Documentation created |
3. Processes
While you were filling out the questionnaire, we already created your process landscape. The processes and procedures are assigned to the different areas of your company. Now it's just a matter of putting the finishing touches to them: Further elaborate your processes and customise them to suit your company.
|
Our order acquisition process | Documentation created |
|
Our process for after sales | Documentation created |
|
Our purchasing and procurement process | Documentation created |
|
Our development process to ensure quality and information security (Annex A, 8.28, 8.29, 8.30, 8.31) | Documentation created |
|
Regulatory process for breaches of information security (Annex A 6.4) | Documentation created |
|
Our process for assessing information security risks | Documentation created |
|
Our process for dealing with information security risks | Documentation created |
|
Our process for registering new users and granting access (identity management) | Documentation created |
|
Our process for de-registering (removing) users from our systems (identity management) | Documentation created |
|
Management of secret authentication information / identity management / endpoint devices (Annex A, 5.17, 5.18,8.1,8.5) | Documentation created |
|
Our process for labelling information (Annex A, 5.12) | Documentation created |
|
Our process for handling assets (hardware, software) (Annex A, 5.10) | Documentation created |
|
Our process for dealing with information security in the supply chain (Annex A, 5.21) | Documentation created |
|
Our process for acquiring, using, managing and exiting cloud services (Annex A, 5.23) | Documentation created |
|
Emergency plan for information security incidents, events and occurrences (Annex A, 5.25, 5.26, 5.27, 5.29) | Documentation created |
|
Our process for handling data protection requests for information from data subjects | Documentation created |
|
Operating process/operating procedures Change management: Changes to IT systems (Annex A, 5.37, 8.32) | Documentation created |
|
Operating process/operating procedures Protection against malware and malicious software (Annex A, 5.37,8.7) | Documentation created |
|
Operational process/procedures Information security training (Annex A, 5.37, 6.3) | Documentation created |
|
Operating procedure/Backup and recovery (Annex A, 5.37, 8.13) | Documentation created |
|
Operating process/operating procedures Patch and vulnerability management (backup & recovery) (Annex A, 5.37, 8.8) | Documentation created |
|
Operating process/operating procedure for configuration management (Annex A, 8.9) | Documentation created |
|
Operating process/operating procedure for controlling external/outsourced development (Annex A 8.30) | Documentation created |
|
Process description: Carrying out patrols | Documentation created |
|
Monitoring of security systems such as burglar alarms and alarm systems | Documentation created |
|
Introducing customers to our products and services | Documentation created |
|
Procedure / Process: Recruitment of employees | Documentation created |
|
Introduction of salaried and freelance employees to their tasks | Documentation created |
|
Implementation of agreed measures for project / order realisation | Documentation created |
|
Planning and implementation of training and education measures on behalf of customers | Documentation created |
|
Process for content creation on behalf of customers | Documentation created |
4. Documents
Work instructions and guidelines are a central component of your management system. We have already created the most important documents for you based on your specifications. Now it's time to adapt them to your specific requirements with the help of our AI.
|
Planning and organising regular customer meetings | Documentation created |
|
Guideline for dealing with errors and deficiencies in our work | Documentation created |
|
Guideline for continuous improvement | Documentation created |
|
Guideline for changes in our management system | Documentation created |
|
Principles of our resource planning / work preparation | Documentation created |
|
Selection criteria for external service providers (quality, information security) | Documentation created |
|
Procedure for the evaluation of external service providers | Documentation created |
|
Guideline for the selection and monitoring of subcontractors (quality, information security) | Documentation created |
|
Procedure for evaluating the subcontractors we commission | Documentation created |
|
Checking incoming goods for quality and information security | Documentation created |
|
Policy for registering new users in systems and assigning roles (identity management) | Documentation created |
|
Policy on the use and utilisation of mobile devices (smartphone, tablet) | Documentation created |
|
Guideline on information security for remote working (mobile working / home office) (Annex A, 6.7) | Documentation created |
|
Carrying out security checks on employees and partners (Annex A, 5.35, 6.1) | Documentation created |
|
Awareness and expertise in the area of information security | Documentation created |
|
Policy on the use of the Internet and the use of cloud services | Documentation created |
|
Directive on the handling of removable storage media | Documentation created |
|
Guideline for the creation and use of secure passwords | Documentation created |
|
Guideline: Web filtering and use of cryptographic measures (Annex A, 8.23, 8.24) | Documentation created |
|
Performance appraisal and discussions with permanent and freelance employees working for us | Documentation created |
|
Carrying out approvals | Documentation created |
|
Directive on the disposal of data carriers, equipment and storage media (Annex A, 7.10 and 7.14) | Documentation created |
|
Guideline for handling information security in supplier contracts (Annex A, 5.20) | Documentation created |
|
Assessment of information security at suppliers (Annex A, 5.19, 5.22) | Documentation created |
|
Guideline on Business Continuity Management (BCM) (Annex A, 5.29, 5.30) | Documentation created |
|
Guideline: Tidy working environment and screen locks (Annex A, 7.7) | Documentation created |
|
Guideline: Documentation and logging of activities, exceptions, errors and events (Annex A, 8.15) | Documentation created |
|
Guideline: Installation of software on systems in operation (Annex A, 8.19) | Documentation created |
|
Specification for the separation of development, test and production environments (Annex A, 8.31) | Documentation created |
|
Guideline for ensuring compliance with legal, statutory, regulatory and contractual requirements (Annex A, 5.31) | Documentation created |
5. Risks and opportunities
We have already created a list of risks in your certification tool. These are based on the information you provided in the questionnaire and the information on your activities. You can now edit and customise these risks and opportunities.
|
There is a risk that customers will not trust us and our company | Documentation created |
|
Risk: We gain more customers than we can handle | Documentation created |
|
Risk: Employees are gradually becoming more dissatisfied with their work | Documentation created |
|
Risk: We do not realise that our customers are becoming less satisfied bit by bit | Documentation created |
|
Risk: Unclear agreements / arrangements with customers | Documentation created |
|
Lack of resources due to poor order planning and preparation | Documentation created |
|
No or too slow response to security incidents | Documentation created |
|
Our goal: Ensure compliance with legal requirements and conditions | Documentation created |
|
There is a risk of a decline in demand for our services | Documentation created |
|
There is a risk of dependence on a limited number of customers or sectors | Documentation created |
|
Data loss and theft of our smartphones | Documentation created |
|
Data loss and theft of laptops | Documentation created |
|
Security risks when using desktops | Documentation created |
|
Security risks when using software | Documentation created |
|
Security risks when using cloud-based software (software as a service) | Documentation created |
|
Security risks from using your own server with a service provider | Documentation created |
|
Security risks due to the use of a local network / WLAN | Documentation created |
|
Security risks from peripheral devices, e.g. printers, scanners, multifunctional devices | Documentation created |
|
Security risk: Data leaks from external services contain employee information | Documentation created |
6. Valuations
The ISO standards require an initial audit and an initial management review to be carried out as the basis for certification. We have already prepared and created both documents for you so that you are already optimally prepared for certification.
|
Security risks when using software | Documentation created |
|
Security risks when using cloud-based software (software as a service) | Documentation created |
Valuations / Internal audit
As part of the establishment of our quality management system, we carried out a system audit to check conformity with the standard chapters of ISO 9001:2015. We went through the requirements of the standard step by step and compared them with the implementation in our company. The procedure is based on the methods listed here.
- Documentation checked: We checked whether the required documentation is complete.
- Comprehensive analysis: We initiated an extensive review of the documentation and implementation.
- Interviews conducted: We interviewed people affected by the relevant standard requirements.
- Performance review: We checked whether the measures taken were implemented successfully.
The result of this comprehensive review is recorded in this first audit report, which documents both the strengths and the potential for improvement of our quality management system.
|
Chapter 4.1: Internal and external topics are created and relevant | Documentation created |
|
Chapter 4.2: Requirements and expectations of interested parties are defined | Documentation created |
|
Chapter 4.3: Scope of application of quality management is defined | Documentation created |
|
Chapter 4.4: Quality management and its processes are described | Documentation created |
|
Chapter 5.1: Management principles support quality management | Documentation created |
|
Chapter 5.2: The quality policy is established and relevant to our objectives | Documentation created |
|
Chapter 5.3: Roles and authorisations are correctly defined | Documentation created |
|
Chapter 6.1: Risks and opportunities as well as measures are determined | Documentation created |
|
Chapter 6.2: Quality objectives are defined, measurable and relevant | Documentation created |
|
Chapter 6.3: Changes are planned and implemented in a structured manner | Documentation created |
|
Chapter 7.1: The requirements for resource planning are met | Documentation created |
|
Chapter 7.2 The competence requirements are met | Documentation created |
|
Chapter 7.3: Awareness of quality management is communicated | Documentation created |
|
Chapter 7.4: Communication is planned and structured | Documentation created |
|
Chapter 7.5: Requirements for the documented information are fulfilled | Documentation created |
|
Chapter 8.1: Requirements for operational planning and control are met | Documentation created |
|
Chapter 8.2: The requirements for products and services are met | Documentation created |
|
Chapter 8.3: Development requirements fulfilled | Documentation created |
|
Chapter 8.4: Requirements for the management of external processes, products and services fulfilled | Documentation created |
|
Chapter 8.5: The requirements for production and service provision are met | Documentation created |
|
Chapter 8.6: The requirements for the release of products and services are fulfilled | Documentation created |
|
Chapter 8.7: The requirements for dealing with defects and deviations are met | Documentation created |
|
Section 9.1: The requirements for performance measurement are met | Documentation created |
|
Chapter 9.2: The requirements for internal audits are met | Documentation created |
|
Chapter 9.3: The requirements for the management review are met | Documentation created |
|
Chapter 10.1: The requirements for improvement are met | Documentation created |
|
Chapter 10.2: The requirements for dealing with defects and deviations are met | Documentation created |
|
Chapter 10.3: The requirements for continuous improvement are met | Documentation created |
6.1. internal audit
As part of the establishment of our information security management system, we carried out a system audit to check conformity with the standard chapters of ISO 27001. We went through the requirements of the standard step by step and compared them with the implementation in our company.
This procedure enables us to determine the extent to which the specified standards for information security are complied with and where adjustments may be necessary. The result of this comprehensive review is set out in this first audit report, which documents both the strengths and potential for improvement of our information security management system.
|
Chapter 4.1: Internal and external topics are created and relevant | Documentation created |
|
Chapter 4.2: Requirements and expectations of interested parties are defined | Documentation created |
|
Chapter 4.3: Scope of application of quality management is defined | Documentation created |
|
Chapter 4.4: Quality management and its processes are described | Documentation created |
|
Chapter 5.1: Management principles support quality management | Documentation created |
|
Chapter 5.2: The quality policy is established and relevant to our objectives | Documentation created |
|
Chapter 5.3: Roles and authorisations are correctly defined | Documentation created |
|
Chapter 6.1: Risks and opportunities as well as measures are determined | Documentation created |
|
Chapter 6.2: Quality objectives are defined, measurable and relevant | Documentation created |
|
Chapter 6.3: Changes are planned and implemented in a structured manner | Documentation created |
|
Chapter 7.1: The requirements for resource planning are met | Documentation created |
|
Chapter 7.2 The competence requirements are met | Documentation created |
|
Chapter 7.3: Awareness of quality management is communicated | Documentation created |
|
Chapter 7.4: Communication is planned and structured | Documentation created |
|
Chapter 7.5: Requirements for the documented information are fulfilled | Documentation created |
|
Chapter 8.1: Requirements for operational planning and control are met | Documentation created |
|
Chapter 8.2: The requirements for products and services are met | Documentation created |
|
Chapter 8.3: Development requirements fulfilled | Documentation created |
|
Chapter 8.4: Requirements for the management of external processes, products and services fulfilled | Documentation created |
|
Chapter 8.5: The requirements for production and service provision are met | Documentation created |
|
Chapter 8.6: The requirements for the release of products and services are fulfilled | Documentation created |
|
Chapter 8.7: The requirements for dealing with defects and deviations are met | Documentation created |
|
Section 9.1: The requirements for performance measurement are met | Documentation created |
|
Chapter 9.2: The requirements for internal audits are met | Documentation created |
|
Chapter 9.3: The requirements for the management review are met | Documentation created |
|
Chapter 10.1: The requirements for improvement are met | Documentation created |
|
Chapter 10.2: The requirements for dealing with defects and deviations are met | Documentation created |
|
Chapter 10.3: The requirements for continuous improvement are met | Documentation created |
Valuations / Management report
This first management review shows how the quality management system is currently implemented from the point of view of the company management and what need for improvement has been recognised. We have gone through the requirements from chapter 9.3 of ISO 9001:2015 step by step and reviewed the points listed there.
The categorisation shows how the conclusions were drawn.
- Documentation checked: We ensured that all relevant documents were complete and up to date.
- Comprehensive analysis: We carried out a detailed assessment of the implementation of the requirements.
- Interviews conducted: We interviewed relevant people to gain insights into the practical application of the standard requirements.
- Performance review: We checked whether the measures introduced were implemented effectively and achieved the desired results.
The results of this management review document both the strengths and the identified potential for improvement of our quality management system and serve as a basis for future measures.
|
1. Status of measures from previous management reviews | Documentation created |
|
2. Changes in our business environment (internal and external topics) | Documentation created |
|
3. Customer satisfaction / feedback from stakeholders | Documentation created |
|
4. Fulfilment of our quality targets | Documentation created |
|
5. Performance of our processes / conformity of our offers | Documentation created |
|
6. Status of defects and corrective measures | Documentation created |
|
7. Results of monitoring and measurements | Documentation created |
|
8. Results of internal audits | Documentation created |
|
9. Services of external providers | Documentation created |
|
10. Utilisation of our material and human resources | Documentation created |
|
11. Measures for dealing with risks and opportunities | Documentation created |
|
12. Status of improvement measures | Documentation created |
Valuations / Management report
We have carried out an initial management review. We went through the requirements of chapter 9.3 of ISO 27001 step by step and checked the points listed there. This initial management review shows how our information security management system is currently implemented and what need for improvement has been recognised. The categorisation provides information on how the conclusions were drawn.
- Comprehensive analysis: We carried out a detailed assessment of the implementation of the security requirements, in particular with regard to the identified information security risks and their management.
- Performance review: We checked whether the measures introduced to improve information security were implemented effectively and achieved the desired results.
The results of this management review document both the strengths and the identified potential for improvement of our information security management system and serve as a basis for future measures to continuously improve information security.
|
1. Status of measures from previous management reviews | Documentation created |
|
2. Changes to internal and external information security management topics | Documentation created |
|
3. Deviations, errors and defects (so-called non-conformities) | Documentation created |
|
4. Results of our performance measurement | Documentation created |
|
5. Results of internal audits | Documentation created |
|
6. Fulfilment of our information security objectives | Documentation created |
|
7. Feedback from interest groups | Documentation created |
|
8. Changes in information security risks | Documentation created |
|
9. Opportunities for improvement | Documentation created |
Information Security
This document represents our first structured assessment of the information security of our independent activities. It looks at organisational as well as personal, technical and technological aspects of our working methods. The aim of this analysis is to make existing risks transparent and to create a comprehensible basis for the targeted improvement of our information security.
7. Declaration of principle
The ISO standards require that you, as a self-employed person or company management, commit to the principles of your management system. This also includes your employees. If you wish, you can also invite network partners or freelancers to also commit to the principles.
Teilen auf X
