Are ISO 27001 and a CISO Required by Law?
The short answer is: German law does not generally require companies to hold ISO/IEC 27001 certification or to maintain a position called “CISO”. That does not make information security optional.
Legislation may require appropriate security measures, effective risk management, monitoring, documentation and clear management accountability. Contracts may make compliance with a standard binding. Regulated sectors face additional requirements. The key question is therefore not simply whether the words “ISO 27001” or “CISO” appear in a statute. It is what security and organisational outcomes an organisation is required to deliver—and how it demonstrates that those arrangements work.
Standards are voluntary as a rule
DIN states the legal starting point clearly: “The application of DIN standards is voluntary as a rule. Standards become binding only when they form part of contracts or when the legislator makes compliance mandatory.”[1] (author’s translation) ISO similarly explains that its standards are voluntary and that ISO neither regulates nor legislates; governments may, however, adopt standards into legislation or refer to them.[2]
A standard can therefore acquire legal significance in several ways:
- Statutory reference: Legislation or subordinate regulation identifies a standard, or parts of it, as authoritative.
- Contractual incorporation: Customers and suppliers agree to comply with a standard, maintain certification or meet a defined security level.
- Giving substance to open-ended duties: Standards can provide a professional benchmark when courts, authorities, insurers or auditors assess whether an organisation acted appropriately and with due care.
- Market and supply-chain requirements: Tenders or customer requirements may make ISO 27001 a practical condition of market access even where certification is not required by law.
DIN expressly notes that standards may assist decision-making in liability proceedings even if neither mandated by law nor incorporated into a contract.[3] This does not mean that every deviation is automatically unlawful. Where a standard is used as an appropriate professional benchmark, documenting equivalent alternative measures and the resulting level of protection is prudent from an assurance and risk-management perspective. This does not create a general statutory duty to justify every departure from ISO/IEC 27001.
What ISO/IEC 27001 does—and what it does not do
ISO/IEC 27001:2022 sets out requirements for an information security management system (ISMS).[4] It helps organisations bring risks, responsibilities, controls, monitoring and improvement into a coherent and auditable management process. Certification can build confidence and provide a structured body of evidence.
It is neither a generally applicable law nor universal proof of compliance. In its guidance on NIS2 and the recast German Act on the Federal Office for Information Security (BSI Act; BSIG) applicable since 2025, the Federal Office for Information Security (BSI) states:
“Certification to ISO/IEC 27001 is not a prerequisite for meeting the requirements of the BSIG.”[5] (author’s translation)
The BSI does not prescribe a particular standard. Nor does holding a certificate automatically mean that every BSIG requirement has been met.[5] The relevant scope, the applicable statutory duties and the actual effectiveness of the measures still need to be assessed.
The BSIG requires outcomes, not necessarily a certificate
Section 30(1) BSIG requires particularly important and important entities to implement appropriate, proportionate and effective technical and organisational measures. Those measures must prevent disruptions and limit the impact of security incidents.[6]
Section 30(2) BSIG combines two requirements:
“Measures under subsection (1) are to comply with the state of the art, take account of the relevant European and international standards, and must be based on an all-hazards approach.”[6] (author’s translation)
The Act distinguishes between complying with the state of the art and taking relevant standards into account. Among other matters, it requires risk analysis, security policies, incident management, business continuity, supply-chain security, secure development and maintenance, effectiveness assessments, access security and training.[6]
ISO 27001 can provide a robust framework for meeting these requirements. The Act nevertheless leaves room for other suitable approaches. An organisation operating without an ISO 27001-based system must still be able to demonstrate that the statutory measures have been implemented comprehensively, effectively and in proportion to risk.
Management remains accountable
NIS2 assigns an active role to management bodies. Under Article 20(1), they must approve cybersecurity risk-management measures, oversee their implementation and may be held liable for infringements.[7]
Germany’s implementation is explicit in section 38 BSIG: management bodies of particularly important and important entities must implement the measures required by section 30 and oversee their implementation. This does not mean that each member of the management body must personally perform the technical measures; the management body must ensure proper implementation and oversee it. Liability for culpable breaches is governed by the applicable company law. Management bodies must also undergo regular training.[8]
A CISO function can provide expert support to management, make risks transparent and steer implementation. It does not assume management’s overall statutory accountability.
Does the law require a CISO?
For the private sector generally, the principal rules do not require an individual with the title “Chief Information Security Officer”. They require functions and outcomes:
- an appropriate security organisation,
- risk identification and treatment,
- clear responsibilities,
- implementation and oversight,
- documentation and an ability to provide evidence,
- regular effectiveness assessments.
Section 91(2) of the German Stock Corporation Act (AktG) likewise does not prescribe a particular role model. The management board must, however, put suitable measures—and in particular a monitoring system—in place so that developments threatening the company’s continued existence are identified at an early stage. For listed companies, section 91(3) AktG additionally requires an appropriate and effective internal control and risk management system.[9] Section 93 AktG sets out the duty of care of a diligent and conscientious member of the management board.[10]
Managing directors of German limited liability companies are subject to the duty of care in section 43 of the Limited Liability Companies Act (GmbHG).[11] Again, neither “ISO 27001” nor “CISO” appears there. Depending on the company’s size, business model and risk exposure, section 43 GmbHG may require management to provide appropriate organisation and oversight of material cyber risks. It does not generally prescribe a system identical to section 91(3) AktG or a particular CISO structure.
Special legislation does impose an express duty to appoint an officer in certain areas. Section 45 BSIG requires the management of each federal administrative body to appoint an information security officer and designate at least one person authorised to act as deputy.[12] Other specialist sectors must be assessed under their applicable statutes, regulations, security catalogues, licensing conditions and supervisory requirements; these may require particular security functions, responsibilities or points of contact without using the title “CISO”.
The GDPR does not prescribe an organisation chart either
Article 32 GDPR requires controllers and processors to ensure a level of security appropriate to the risk. They must take account of the state of the art, implementation costs, the nature and scope of processing, and the likelihood and severity of the risks.[13]
The Article refers, among other things, to encryption, resilience, restoration capability and regular effectiveness testing. It requires neither ISO 27001 certification nor a CISO. Certifications may contribute to the evidence, but do not replace an assessment of the measures actually in place.[13]
When a dedicated CISO function becomes organisationally necessary
The absence of a generally mandated title does not mean that any role model will suffice. A dedicated internal or external CISO function becomes particularly compelling where:
- the business model depends heavily on digital services and confidential information,
- the entity falls within NIS2, critical-infrastructure, financial-sector or comparable regulation,
- several locations, legal entities or service providers need to be governed,
- security risks regularly require management-level decisions,
- customers demand robust evidence or certification,
- audits, incidents or transformation programmes need to be coordinated,
- operational IT and independent risk assessment should be properly separated.
A title alone solves none of these issues. What matters is the mandate, resources, access to management, defined decision paths and demonstrable effectiveness.
Conclusion
Neither ISO 27001 nor a CISO is a general statutory requirement. In many circumstances, however, the law does make appropriate information security, risk management, oversight and management accountability mandatory. Standards can structure these open-ended requirements, become binding through contract and make compliance easier to demonstrate.
The sound management question is therefore not: “Does the law mention ISO 27001?” It is: Can we demonstrate that our security organisation actually meets our risks, legal obligations and contractual commitments?
Professional scope: This article addresses information security and governance considerations. Whether a legal or contractual obligation exists in a particular case depends on the applicable legal framework, the organisation and its contracts.
Sources
[1] DIN Deutsches Institut für Normung e. V. Standards and the law. n.d. https://www.din.de/en/about-standards/standards-and-the-law (accessed 11 July 2026).
[2] International Organization for Standardization. ISO – Media kit. n.d. https://www.iso.org/media-kit.html (accessed 11 July 2026).
[3] DIN Deutsches Institut für Normung e. V. Rechtsverbindlichkeit durch Normen [Legal effect of standards]. n.d. https://www.din.de/de/ueber-normen-und-standards/normen-und-recht/rechtsverbindlichkeit-durch-normen (accessed 11 July 2026).
[4] ISO. ISO/IEC 27001:2022 – Information security management systems. 3rd ed., October 2022; Amendment 1:2024. https://www.iso.org/standard/27001 (accessed 11 July 2026).
[5] German Federal Office for Information Security (BSI). ISO/IEC 27001 im Kontext NIS-2/BSIG [ISO/IEC 27001 in the context of NIS2 and the BSIG]. As at 2 June 2026. https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/NIS-2-Infopakete/NIS-2-ISO27001/NIS-2-ISO-27001.html (accessed 11 July 2026).
[6] Federal Republic of Germany. Act on the Federal Office for Information Security (BSI Act; BSIG), section 30, version applicable on 11 July 2026. https://www.gesetze-im-internet.de/bsig_2025/__30.html.
[7] European Parliament and Council. Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union, OJ L 333, 27 December 2022, Articles 20–21. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555.
[8] Federal Republic of Germany. BSIG, section 38. https://www.gesetze-im-internet.de/bsig_2025/__38.html.
[9] Federal Republic of Germany. Stock Corporation Act (AktG), section 91. https://www.gesetze-im-internet.de/aktg/__91.html.
[10] Federal Republic of Germany. Stock Corporation Act (AktG), section 93(1). https://www.gesetze-im-internet.de/aktg/__93.html.
[11] Federal Republic of Germany. Limited Liability Companies Act (GmbHG), section 43. https://www.gesetze-im-internet.de/gmbhg/__43.html.
[12] Federal Republic of Germany. BSIG, section 45. https://www.gesetze-im-internet.de/bsig_2025/__45.html.
[13] European Parliament and Council. Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation), OJ L 119, 4 May 2016, Article 32. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.