07.10.2025/Blogbeitrag/

Why certifications such as ISO 27001 and ISO 9001 are essential for businesses, and how we implement the associated requirements

ISO certifications such as ISO 27001 and ISO 9001 are now key indicators for companies that they meet the highest standards in the areas of information security and quality management.

These internationally recognized certifications confirm that a company has systematically established processes to ensure data protection, quality, and product safety.

In our new blog post, we present the requirements of ISO 27001 and ISO 9001 in practice. We provide insight into the implementation of these standards in day-to-day operations and show how a responsible service provider can meet the relevant criteria.

ISO 27001 in the Development Process – Security from the Start

Information security is not a one-time task, but an integral and urgently needed part of our development process. As part of our ISO 27001 implementation, we have therefore integrated a risk assessment based on the OWASP Top 10[1] directly into our workflow.

  • In our planning process, we identify and document security risks even before development begins
  • As soon as risks are identified, we assess their criticality using the Common Vulnerability Scoring System (CVSS). This internationally recognized standard allows us to prioritize security risks objectively and transparently. This ensures that particularly critical vulnerabilities are addressed quickly—before they can impact our systems and, consequently, our customers.
  • Through automated penetration tests, our software is scanned daily for potential security gaps and vulnerabilities.
  • Third-party software we use also undergoes a daily, automated security check provided and verified by public authorities.

In this way, we maintain a software development process that prioritizes security awareness on a daily basis and is continuously expanded and put into practice.

ISO 9001 in the Development Process: Quality Through Clear Definitions and Processes

Implementing ISO 9001 in software development means not only adhering to quality standards, but also integrating them consistently and as seamlessly as possible into daily work processes. A key tool in this process is the Definition of Done (DoD), which ensures that tasks are not considered complete until all relevant quality guidelines have been met.

In the development process, tasks are not simply declared “done.” Instead, the Definition of Done specifies which steps are absolutely necessary to ensure quality. These include, among others:

  • Code review: Every change to the software is thoroughly reviewed and approved by several software developers before the next steps are initiated.
  • Issue Review: During a second review cycle, we verify that the functionality, documentation, automated tests, and test descriptions have been implemented in the best possible way for further development before they are handed over to the testing department for functional quality assurance.
  • Documentation of risk management measures: Identified qualitative risks and how they are managed are described in a proactive and transparent manner and, where necessary, are subject to separate reviews.
  • Implementation guidelines: Relevant information and procedures for implementing specific requirements are documented in detail to ensure traceability and knowledge transfer.

These requirements are not merely theoretical guidelines; they are enforced and documented using our Jira software. This provides transparent evidence that processes are being followed.

Structured Approach to Bugs

In addition to the Definition of Done, there is a clearly defined process for handling bugs in the software. This includes:

  • Analysis and assessment of the bug
  • Decision on (partial) software lockdowns, if necessary
  • Transparent communication to customers regarding impacts and measures

This structured approach ensures that not only are bugs fixed, but transparency, trust, and reliability toward customers are also maintained.

Conclusion

ISO 9001 (Quality Management) and ISO 27001 (Information Security Management) together provide a foundation for robust, resilient supply chains. While ISO 9001 standardizes processes and institutionalizes knowledge within the organization, ISO 27001 ensures that information and data remain protected throughout the supply chain. The result is greater transparency, trust, and quality—not only internally but also in collaboration with customers, partners, and suppliers.

For more information about our certifications, please visit our Website.

[1] The OWASP Top 10 is a list of the ten most critical security risks for web applications, compiled by the Open Web Application Security Project (OWASP). It serves as a guide for developers, security experts, and organizations to identify and address the most common and dangerous vulnerabilities in web applications.

Should we call you back? Then please select the desired time.
Indicates required field