Cybersecurity: ISO 27001, a standard that has become essential

Following our coverage of ISO 45001 on occupational health and safety, we’re bringing you a second look at the 2021 results of the ISO Survey , this study coordinated by the International Organization for Standardization (ISO) identifies the number of organizations worldwide that hold one or more management system certifications. This focus is on ISO 27001, the flagship standard providing guidelines for implementing a robust and effective information security management system. This standard should be referred to as ISO/IEC 27001, as it was developed within the International Electrotechnical Commission (IEC).

With nearly twice as many certified organizations in two years (351 in 2019, 606 in 2021), the growing popularity of ISO/IEC 27001 in France is evident. This trend is in line with global developments, as the number of certificates worldwide jumped from 36,000 to 58,000 between 2019 and 2021. Certificates are now displayed on nearly 100,000 websites worldwide, including nearly 1,600 in France. By country, the top three are China, Japan, and the United Kingdom, all with over 5,000. This impressive growth is primarily driven by the central importance of data protection issues. ISO 27001 addresses information security and applies to both digital and paper-based data , notes Brice Gilbert, ISO 27001 Manager at AFNOR Certification. A few years ago, 62% of companies adopting this standard did so voluntarily. But with the tightening of regulatory requirements, most are now committing to compliance in order to remain eligible to bid on contracts. Unsurprisingly, according to the ISO Survey, the industry that makes the most use of ISO/IEC 27001 certification is the information technology sector. Whether you operate in this sector or another, you can enlist the help of one of our cybersecurity standards experts to set up your management system: management AFNOR BAO !

Reassure customers, attract prospects

Among the French companies that have achieved certification is the software publisher Tehtris. As a specialist in this field, the company—which employs 260 people—has developed a solution that automatically neutralizes cyberattacks in real time without human intervention. “ISO 27001 seemed like a natural choice for us,” summarizes Christine Samandel, chief of staff to Tehtris’s executives. “It’s a powerful tool for driving growth: ISO 27001 is the best-known standard and is used worldwide. Obtaining certification allows organizations to go beyond national or regional certifications. To secure certification in September 2022, following the AFNOR Certification audit, the Tehtris teams undertook a major effort to document all existing processes. This allowed them to scrutinize their practices and ultimately gain a comprehensive overview of everything that is currently in place. We already knew this, but not in such a formalized way. It’s important for reassuring customers, attracting prospects, and building trust with users , says Christine Samandel. As part of its commitment to continuous improvement, the company has established numerous metrics to ensure compliance and drive progress, year after year.

While ISO/IEC 27001 remains a voluntary standard, it is increasingly required to demonstrate compliance with the law. In Europe, the GDPR (General Data Protection Regulation) is not the only mandatory regulation in force: the HDS decree requires all organizations that handle personal health data to obtain certification according to a standard based on ISO 27001. Automakers, for their part, must comply with UN Regulation No. 55. Manufacturers, particularly in the aerospace industry, are well aware of the stakes. A cyberattack, a data breach, or a ransom demand—and the very survival of the company is at stake. AFNOR offers a multi-step strategy, starting with a free self-assessment to kickstart the process, regardless of the industry , says Brice Gilbert. Five years after the first version was released in May 2017, the publication of the standard An updated version, featuring new elements such as cloud computing, is the perfect opportunity to get started.

In addition to the standard itself, AFNOR Certification offers to make things easier for you by providing a free download of the Transition Guide: “ISO/IEC 27001: Key Points of the 2022 Version” ".

What's new with ISO/IEC 27005

ISO/IEC 27005 gets a makeover with a new version released in 2022 , which will soon be published in the NF series. This companion standard to ISO/IEC 27001—which had previously been dated November 2018—is designed to help organizations carry out information security risk management activities. It places particular emphasis on assessing and addressing these risks… This much more comprehensive version includes numerous technical fixes and formalizes the French reference method, “EBIOS Risk Manager,” as a standard. This approach is designed to help organizations better identify and understand the digital risks that directly affect them , notes Frédéric Solbès, standardization project manager at AFNOR.