ISMS & ISO 27001

The art of combining compliance & security with business value

How business leaders can stay on top of cyber risks by implementing an Information Security Management System.

Being on top of cyber challenges is instrumental for business leaders and managers to thrive in this era of interconnectivity, technological dependency, and increasingly advanced threats. Effectively managing these challenges is complex and can only be done with a structured approach, which includes all levels of an organisation, usually referred to as a management system.

Management systems exist for a wide variety of topics, and are usually documented in international standards or frameworks. ISO/IEC 27001 is the internationally recognised standard for information security management. It specifies requirements for establishing, maintaining and improving an Information Security Management System (ISMS).

Implementing an ISMS will bring you advantages such as:

  • Manage risk: Ensure a proper understanding of risks by top management, giving them the information they need to get involved and make informed decisions, leading to a reduction in risks.
  • Support the business: Being on top of security and privacy risks enables you to focus on the business, sparking the confidence to move full speed ahead.
  • Operationalise and demonstrate compliance: Demonstrate ongoing compliance with security and privacy laws, regulations or frameworks like the NIS directive, TISAX, GDPR and other international data privacy legislation.

Deloitte has a multidisciplinary team that has experience in designing, implementing, running, continuously improving, and auditing management systems. We are by your side in every stage of your journey, just as we are and have been with multiple other organisations.

Our proven experience brings you:

  • A tailored approach: The context of the organisation determines the approach that is right for you. Together we determine what makes sense for your organisations and what does not.
  • A pragmatic approach: Although there is a certain formalism in management systems, we ensure that what we co-create is pragmatic and brings value.
  • A compliant approach: Regardless of whether you want to pursue certification in the short term or not, our modular approach ensures that each building block is aligned with ISO standards, so that whenever you decide to go for certification, you can face the auditors with confidence.

When properly executed, a management system will be the catalyst for transformation. Let us be the partner to launch you on this exciting journey. Reach out today and we can get in touch to further explain our approach and demonstrate our expertise.

The main building blocks of our approach

The first step in managing cyber is understanding the scope of what you want to protect and why. Here we capture your cyber objectives in business language. Or put differently: we capture what you absolutely want to avoid from happening.

The scope and objectives are the direct input for defining relevant cyber risk scenarios. Leveraging a proven risk management methodology (which can be further adapted to your needs) we facilitate assessing the risk level of these tailored risk scenarios. We help you to define pragmatic measures to reduce your cyber risks to an acceptable level.

Policies are complementary to risk management. While risk management focuses on specific risk scenarios and specific risk mitigating measures, policies capture industry best practices that are tailored to your ambition level.

The value of creating such a baseline is in the discussion with different stakeholders and agreeing on that ambition level. The policies are a reflection of that agreement, and serve as reference going forward. 

To really embed Cyber into the organisation, it is also important to give insights to the different levels (executive, managerial, technical) of the organisation in the form of KPI’s and metrics – and if needed formal management reporting.

Before going for ISO/IEC 27001 certification, you will need an internal audit on the effectiveness of the ISMS and the relevant controls. The internal audit team needs to be skilled in ISO/IEC 27001 and needs to be independent from the implementation team. We can support your audit department with an experienced and independent internal audit team.

When we are by your side to implement an ISMS, you determine how formal you want to approach the different steps. We make sure that what you implement is in line with ISO/IEC 27001. Always keeping overhead to a minimum and focusing on maximum value.

If you decide to go for ISO/IEC 27001 certification, we can support you on all different aspects of the ISMS – from the initial gap assessment to pragmatic implementation (with minimal overhead and maximum value) to advisory support during the official certification audit.

ISO/IEC 27001 is the internationally recognised standard for information security management. It specifies requirements for establishing, maintaining and improving an Information Security Management System (ISMS). It also contains reference control objectives and guidance for the implementation of information security controls customised to the needs of the organisation.


If you are a manufacturer, service provider or supplier to the German automotive industry, you are or will likely will be asked to comply with the security label TISAX.

We can support you on all different aspects of obtaining the TISAX label – from the initial gap assessment to pragmatic implementation (with minimal overhead and maximum value) to advisory support during the TISAX audit.

TISAX, a security label created by the German automotive industry, requires manufacturers, service providers and suppliers to protect their own critical information as well as the critical information of their business partners. A sophisticated catalogue of information security and privacy requirements based on the ISO/IEC 27001 standard lies at the heart of the TISAX model.

NIS Directive

If you are an operator of essential services (OES), you are required to demonstrate compliance with the NIS Directive (Network and Information Security directive) and related Belgian NIS law. Next to incident reporting requirements,  a structured approach (typically in the form of an ISMS) is needed for the essential services which are provided.

The NIS Directive requires the “establishing a framework for the security of network and information systems of general interest for public security”.

Article 22(1) of the law explicitly states that, until proven otherwise, the OES the requirements of the information security management standard ISO/IEC 27001 shall be considered as complying with the security requirements embedded in Article 20 if its compliance is supported by a certification issued by an accredited certification body.

Key contact

Wim Hermans

Wim Hermans


Wim is a Partner in Deloitte Belgium’s Cyber Risk Services practice, with over 20 years of experience in the domain of information security. Wim focuses on the Governance, Risk and Compliance aspects ... More