ISO 27001, a partner to CIOs for twenty years
A benchmark tool for CIOs to organize themselves against cyber risk, the voluntary ISO 27001 standard is celebrating its twentieth anniversary. Regularly updated, it is positioned as a practical tool in a landscape made complex by regulation.
Cybersecurity
Audio transcription of the article
Utilisez les flèches gauche et droite pour avancer ou reculer de 5 secondes. Utilisez Début pour aller au début, Fin pour aller à la fin.
Regulating the cyber world is no easy task! And above all, it's not just a regulatory issue! Alongside the European NIS and NIS 2 directives (NIS stands for Network Information Security), the DMA (Digital Markets Act) and the DSA (Digital Services Act), there are also voluntary standards. The word "standards" is also used to refer to laws, decrees, and other regulations, but these are voluntary, created by market players. The most Anglophile among us will refer to them as "standards."
When it comes to information security, ISO 27001 is the international standard that sets the tone. The "001" in the title means that the standard addresses the subject as a management system: for information systems departments (ISDs) and, more broadly, for teams involved in this issue throughout the company (e.g., quality managers), it provides instructions on how to organize effectively to prevent cyberattacks and what to do and how to respond when they occur. It therefore includes a significant section on risk identification and analysis. All of this is done in a spirit of continuous improvement: each failure provides feedback that allows us to be better prepared next time. Compared to its big sisters ISO 9001 and ISO 14001, the distinctive feature of ISO 27001 is that it also provides technical recommendations.
The fact that ISO 27001 is a management standard makes it a certifiable standard: as with ISO 9001 for quality management or ISO 14001 for environmental policy, organizations can request an audit to demonstrate that they are applying it correctly, thereby signaling their commitment to good practice. This certification is highly regarded in calls for tenders, to the point where it sometimes becomes a prerequisite! On this point, the evidence is clear: the number of certified organizations, both public and private, is steadily increasing worldwide. Although we are still a long way from the figures for quality or environmental management, at the end of 2023 France had just over a thousand ISO 27001-certified organizations, three times more than in 2019, according to the ISO Survey. It should be noted that a certificate very often covers several sites, on average two to three.
In October 2025, ISO 27001 will celebrate its twentieth anniversary! In the video above, listen to three key figures recount its history: Emmanuel Garnier, president of Club 27001 and CIO of Orano, Marie-Christine Moretti, auditor and trainer, and Matthieu Grall, information security consultant. For twenty years, ISO 27001 has had a name that is actually a shortened form: as it was developed jointly with the International Electrotechnical Commission (IEC), its real name is ISO/IEC 27001. It is even NF EN ISO/IEC 27001, if we want to reflect the fact that the international standard has been adopted as a European and French standard. available in the AFNOR collection You may argue that cyber risk has evolved enormously in twenty years: new threats, new actors, and new tools have emerged. You would be right: 2005 is prehistory in terms of information security! Not to mention that, like all voluntary standards, the text has been regularly updated. A 2013 version, then a 2022 version, have been released, ensuring that the recommendations remain relevant. In 2024, an amendment concerning climate change was even incorporated.
List of standards concerned
ISO/IEC 27001:2005
The first published version established the requirements for an ISMS and introduced the concept of risk management.
It is based on British work on the BS 7799 standard.
ISO/IEC 27001:2013
A major revision, this version has made significant changes, including:
- the integration of the High Level Structure (HLS) to facilitate integration with other management system standards,
- an update of security measures,
- greater consideration of the context and stakeholders.
ISO/IEC 27001:2022
A major revision, this version has made significant changes, including:
- updating security measures to reflect new threats and technologies
- clarification of requirements relating to risk management and performance evaluation of the ISMS.
ISO/IEC 27001:2024/Amd 1
Added requirements for organizations to consider the impacts of climate change on their ISMSs.
The best proof that ISO 27001 is perfectly in tune with the times is the fact that it has been included in the debates on the transposition of the European NIS 2 Directive in the French Parliament in the second half of 2025. During its examination in the Senate, in particular, the Resilience bill makes it a benchmark, positioning the standard as a first level of requirement to enable the actors concerned to comply with regulatory provisions.
In October 2025, an AFNOR – Club 27001 study compiling more than 600 certification audit reports, and available for free download, indicates that more and more sectors are adopting the ISO 27001 standard. It is no longer limited to companies in the information systems and cybersecurity sectors: the banking and insurance sector accounts for 6.6% of those certified to version 2022 by AFNOR Certification, and manufacturing accounts for 4.7%. Below are the top three topics that generated the most non-conformities (NC) and sensitive points (SP), excluding Annex A, as well as the top three topics that generated the most strengths (PF).
