Cybersecurity: ISO 27001 recognized as an essential standard

The latest ISO Survey has revealed a surge for ISO/IEC 27001, the voluntary standard focusing on information security management systems. The standard has carved a commanding position in the business landscape as the number of threats rises and stakeholders’ expectations grow.

Following our review of ISO 45001 on occupational health and safety, we have produced an article that provides another insight into the results of the 2021 edition of the ISO Survey. Coordinated by the International Organization for Standardization, the ISO Survey lists the number of organizations worldwide that have obtained certification to one or more management system standards. This review focuses on ISO 27001, the flagship standard that provides guidelines for rolling out a robust and effective information security management system. This standard should actually be called ISO/IEC 27001, since it was developed within the International Electrotechnical Commission (IEC).

With almost twice as many certified organizations within the space of two years (351 in 2019, 606 in 2021), all the evidence shows that ISO/IEC 27001 is gaining significant traction in France. This upward curve aligns with global trends, since the number of valid certificates worldwide jumped from 36,000 in 2019 to 58,000 in 2021. These certificates are now on display at close to 100,000 sites around the world, including nearly 1,600 in France. When it comes to countries, the top three are China, Japan and the United Kingdom, each of which has over 5,000 certificates. This tremendous growth can initially be explained by how data protection issues have clearly been propelled into the spotlight. “ISO 27001 addresses information systems security and concerns both digital and paper data,” explains Brice Gilbert, ISO 27001 Manager for AFNOR Certification. “A few years ago, 62% of the companies that engaged with the standard made their decision on their own accord. But faced with an increasingly stringent set of regulations, most organizations are now adopting the standard to demonstrate their compliance and continue bidding on invitations to tender.” Not surprisingly, the ISO Survey reveals that the sector covered by the largest number of ISO/IEC 27001 certificates is information technology.

Reassure customers and attract prospects

The ISO/IEC 27001 is recognized as an essential standard for IT management and cybersecurity.

Software publisher Tehtris is one of the French companies to achieve certification. As an expert in such issues, the 260-employee company has developed a solution to automatically neutralize cyberattacks in real time without any human action required. ISO 27001 was a no-brainer for us,” says Christine Samandel, Chief of Staff to the CEO/CTO at Tehtris. “It’s a powerful tool for driving development. ISO 27001 is the most well-known standard and it’s used around the world. Getting certified lets you step even further beyond the bounds of national or regional certification schemes.” To obtain certification back in September 2022 following the audit by AFNOR Certification, the teams at Tehtris undertook a major effort to document all the existing processes, which meant taking an in-depth look at its practices and ultimately gaining an overview of everything that has been put into action. “We knew that already, but not in such a formalized way. It’s important to reassure customers, attract prospects and build confidence among users,” says Christine Samandel. As part of a continual improvement strategy, the company has set up a number of indicators to ensure compliance and improve performance with each annual audit.

Although ISO/IEC 27001 is still voluntary, this standard is increasingly required for organizations to prove their alignment with the law. In Europe, the GDPR (General Data Protection Regulation) is not the only mandatory regulation in force. France’s HDS regulation requires all entities handling personal health data to obtain certification to a standard based on ISO 27001. Car manufacturers need to comply with UN Regulation No. 155. “Manufacturers, especially in the aviation industry, are well aware of the issues. A hack, data leak or ransomware attack could put the company’s survival on the line. AFNOR offers a multi-step strategy, starting with a free self-assessment to get the organization thinking about the process, whatever its sector of activity,” says Brice Gilbert. Five years after the first version was released in May 2017, the publication of the updated standard, which introduces a number of new aspects such as the cloud, represents the ideal opportunity to get started on the road to certification.