ISO 27001 and external automation partners: What SMEs should focus on when selecting

ISO 27001 as a selection criterion for automation partners: What the certificate really proves and what SMEs should check instead.

Hand-drawn sketch: a hand holds a magnifying glass over a document with a round certification seal

Anyone who commissions an external partner to automate accounts receivable, CRM, or recruitment management inevitably gives them access to sensitive data: customer records, financial figures, sometimes also personnel files. The question "is the provider ISO 27001-certified" increasingly appears in tenders and initial talks. However, many SMEs don't know exactly what the certificate proves and what it doesn't cover. This article clarifies what actually matters when selecting an automation partner.

What ISO 27001 as a certificate actually says

ISO/IEC 27001:2022 specifies the requirements for an information security management system (ISMS) and is therefore not a seal for a single tool, but evidence of systematic, repeatedly verified processes throughout the enterprise. Annex A of the standard contains 93 controls in four categories: 37 organizational, 8 personnel-related, 14 physical, and 34 technological measures, as the expert analysis from secjur on the current version shows. The predecessor version from 2013 still had 114 controls, the reduction to 93 came with a clearer structure and eleven new measures, such as cloud security and activity monitoring.

There are two paths to certification: natively according to ISO/IEC 27001:2022 with free choice of method, or based on IT-Grundschutz according to the methodology of the Federal Office for Information Security (BSI, Standards 200-1 to 200-4). Both paths lead according to BSI to the internationally recognized ISO 27001 certificate, the IT-Grundschutz path is publicly documented in the BSI certificate schema and the issued certificates are viewable there. For the selection of a partner, this is relevant because both paths are considered equivalent, but are verifiable in different levels of detail.

Why your automation partner's security is directly your own risk

Total damage from data theft, espionage, and sabotage in the German economy was 289.2 billion euros in 2025, according to Bitkom-Studie Wirtschaftsschutz 2025 202.4 billion euros (70 percent) on cyberattacks. 34 percent of surveyed companies were affected by ransomware, almost three times as many as in 2022. An RPA bot, an n8n workflow, or a Copilot agent needs access credentials and API access to ERP, CRM, or DATEV to be able to automate at all. If the automation partner itself is compromised, that's a direct path into the customer's systems. The information security of the partner is therefore not a formal side matter, but a real extension of one's own attack surface.

What you should specifically check when a provider advertises ISO 27001

A displayed certificate alone says little without checking validity and scope. Four points are worth checking concretely:

  • Scope: Does the certificate actually cover the department or location that manages your automation project, or only a subsidiary?
  • Certification path: native or via BSI IT-Grundschutz, both valid, with the IT-Grundschutz path the certificate can be cross-checked in the public BSI certificate database.
  • Recertification cycle: A BSI IT-Grundschutz certification is valid for three years, with annual surveillance audits in between, so it's worth asking about the date of the last audit.
  • Issuing body: Was the certificate issued by an accredited, independent certification body, not by an internal review?

Important for expectations: At the end of 2022, only around 1,582 companies in Germany were certified to ISO 27001, according to figures from Statista show, out of around 3.1 million companies in total. A missing certificate is thus not an automatic exclusion criterion for a competent automation partner, but it shifts the burden of proof to other, equally verifiable evidence.

If the partner is not certified: What evidence counts instead

Without ISO 27001 certification, a proper data processing agreement (DPA) under Art. 28 GDPR and documented technical and organizational measures (TOMs) are the minimum that every reputable automation partner must be able to provide. The DPA is mandatory anyway once personal data is processed, regardless of any certification. Additionally, it's worth asking about server location (Germany or EU), access concepts for individual automations, and whether incidents in the past were documented and reported.

NordFlux also does not present itself to customers with its own ISO 27001 certificate, but with a DPA per customer, documented TOMs, and data storage in German and European data centers respectively. This transparency, not just a seal, is the standard we recommend to SMEs for selecting any automation partner. These questions therefore belong in every AI Consulting before the first project, because they ultimately concern exactly the Interface Integration through which sensitive data flows.

By Simon Glowik, published July 9, 2026.

Frequently Asked Questions

Is ISO 27001 legally required for an automation partner?

No, for most industries. Only in regulated sectors such as CRITIS operators or parts of the financial sector can certification practically be required. For SMEs, ISO 27001 today is more of an increasingly common customer requirement than a legal obligation.

What does "ISO 27001 based on IT-Grundschutz" mean?

This is the alternative certification path via BSI methodology instead of free choice of method. An auditor approved by BSI reviews reference documents and conducts an on-site review, and the BSI then decides on issuing the ISO 27001 certificate.

How long is an ISO 27001 certificate valid?

A certification based on IT-Grundschutz is valid for three years, after which recertification is required. Annual surveillance audits take place in between. So it's worth asking about the date of the last audit, not just about the certificate itself.

Is a self-declaration without a certificate sufficient as proof?

A mere self-declaration without substance is not sufficient. A sound data processing agreement under Art. 28 GDPR and documented technical and organizational measures are the minimum that every automation partner should be able to provide regardless of ISO certification.

How do I verify whether a presented ISO 27001 certificate is genuine?

For certificates based on IT-Grundschutz, the issuance can be looked up in the BSI's public certificate list. For native ISO 27001 certificates, checking the accreditation of the issuing certification body, such as the German Accreditation Body (DAkkS), or making a direct inquiry to the body helps.

About NordFlux

NordFlux UG (haftungsbeschränkt)

NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.

More about us
Free initial analysis

Concrete questions about automation or AI?

In a free initial analysis we discuss your case directly. No strings attached.