Cookie consent(s)
We use cookies to personalize content and ads, provide social media features, and analyze traffic. This is done only with your explicit consent. By clicking "ACCEPT ALL," you agree to the processing and sharing of your data with our partners for social media, advertising, and analytics, including in third countries in accordance with Art. 49(1)(a) GDPR and Art. 17(1)(a) FADP (Switzerland). There is a risk that your data may be monitored by authorities without legal recourse. You can change or revoke your consents at any time in the data privacy settings.
Data protection declaration | Legal notices
Settings
Jubilee Signet

Cyber security must not pause for a second

Mar 17, 2025 Audit

Cyber threats are becoming increasingly critical in digitally networked supply chains. Protection concepts that cover the entire corporate context are becoming urgent. In practice, the information security management system (ISMS) in accordance with ISO/IEC 27001:2022 has proven its worth. From October 31, 2025, all existing certificates must be converted to the current version of the standard.

Business interruptions, espionage and the loss of sensitive data through cyber attacks were much-discussed risks at the Davos World Economic Forum 2025. Information systems in supply chains in particular are even more vulnerable due to new geopolitical conflicts, trade wars and hybrid threats. The Global Cybersecurity Report 2025 presented in Davos also draws attention to the growing skills gaps in companies. Organizations are increasingly lacking the expertise and personnel needed to take suitable security measures to counter digital complexity and the increasing demands in the value chain.

Methods used by cyber criminals

The criticality of capability gaps in organizations increases as standard applications for text, image or data analysis integrated with artificial intelligence become more widespread. Cyber criminals are able to use AI models to detect vulnerabilities in an even more targeted and automated manner. This also allows manipulations to spread more quickly.
For example, supply chain attacks attack the interfaces of IT service providers in order to infect customer computers in supply chains with malware via their maintenance or update services. Such attacks also occurred in the summer of 2024, exploiting the serious consequences of a software glitch. Initially, a faulty update at CrowdStrike, an international cyber security service provider, triggered the largest global IT outage to date. Airlines, airports, hospitals, large retail chains and media companies were affected.
The security vulnerabilities and downtime associated with the software glitch immediately led to new cyber threats. As a direct response, criminals circulated alleged utilities to automatically restore the faulty update and then used a supply chain attack to inject Trojans into the systems. According to the insurer Parametrix, the financial losses of the companies affected in the USA alone amounted to 5.4 billion dollars.

Cyber vulnerabilities are on the rise

According to the German Federal Office for Information Security (BSI), around 80 new vulnerabilities were identified every day in 2023 that are circulating in IT systems or software applications worldwide - and the trend is rising. According to the BSI's 2024 status report on IT security in Germany, perimeter systems such as firewalls, VPNs and public cloud infrastructures are particularly susceptible to attack. Meanwhile, mass extortion attempts have been directed against small and medium-sized companies after ransomware was successfully able to enter IT systems via security gaps in the technology or organization.
Source: BSI (excerpt), The state of IT security in Germany in 2024

The ISMS as a holistic protection concept

It is not just sensitive production data or personal data of third parties that needs to be protected. The extent of potential data misuse, such as phishing attacks via falsified communication data, is so diverse that individual measures can no longer provide a lasting level of protection.
Instead, the entire organizational structure must be included, with all processes and responsibilities that are critical to the business model. The information security management system (ISMS) based on the tried-and-tested international standard ISO/IEC 27001:2022 offers such a holistic protection concept. With the principle of continuous improvement, companies can build up improved resistance to cyber threats in the long term.

The statement of applicability

Companies embarking on the path to certification of their ISMS receive a central management tool in the form of the Statement of Applicability (SoA). This lists the measures (controls) taken on the basis of the risk analysis and compares them with the measures from Annex A as a best practice approach. The SoA is one of the documents that an external auditor wants to see in order to gain an initial impression.
Another core component of certification is the inventory of all critical assets. This inventory covers the entire company context - production systems, operating sites, business processes and supply relationships. The term “asset” has a much broader meaning than its fiscal meaning. The ISMS refers to all components and facilities that are of value to the company's business model.
It is clear that neither the SoA nor the inventory can be in the hands of just a few people in the company. Similarly, too narrow a focus on just the hardware and software of the security systems would fall short. Instead, all primary and secondary assets should be taken into account, which are divided into protection classes depending on the potential damage and probability of occurrence (risk matrix). Primary assets include the most important information assets, such as the specific know-how for creating services or products, business relationships and customer data. The secondary assets are derived from the technical infrastructure.

Internal audits are the measure of all things

Identifying operational data risks, regularly reviewing them and evaluating the appropriateness and effectiveness of the measures taken is a management task that must extend across the entire organization.
Continuously assessing and adapting the hidden security risks (silent cyber) of an organization in the supply chain is a joint task across all corporate functions. This is why the real work starts with internal audits. The external auditors assess whether the measures and processes developed actually meet the requirements of a holistic information security management system during the initial certification.
In later surveillance audits, following the initial certification, it is often found that the management system has been further developed. However, after three years, recertification often reveals that the protection objectives and measures have no longer been adequately evaluated or adapted to current market and customer requirements. Re-certification audits can therefore be time-consuming, especially if the key personnel previously involved in certification are no longer with the company.
It is crucial that companies keep their ISMS up to date throughout the year. Ultimately, this can only be achieved through regular internal audits - and not just through a certification audit. In the event of changes to the process landscape or new cyber threats, the risk situation must be reassessed and the rules adapted and communicated within the organization if necessary. The effectiveness is then checked again in the internal audits. This forward-looking security culture is the foundation of an ISMS.

Measures for robust cyber security

Welche Sicherheitsanforderungen stehen mit der revidierten ISO 27001:2022 zusätzlich im Fokus? Sie richten sich in erster Linie auf das Risikobewusstsein und die organisatorischen Abläufe. Annex A der Norm enthält 93 Referenzmaßnahmen (zuvor 114 Maßnahmen) zu organisatorischen, personenbezogenen, physischen und technischen Kategorien. Im Kern geht es um die Vertraulichkeit, Integrität und Verfügbarkeit sämtlicher Informationswerte. Dazu zählen die Prozesse der Datenverarbeitung, Geschäftsabläufe, das Wissensmanagement und Know-how der Mitarbeitenden bis hin zur Absicherung der physischen und virtuellen Standorte und Arbeitsplätze.
Um auch auf neue digitale Entwicklungen wie die Nutzung von Cloud-Diensten zu reagieren, wurden in der Normenrevision noch folgende MaĂźnahmen aufgenommen:
  • Informationen ĂĽber die Bedrohungslage
  • Informationssicherheit fĂĽr die Nutzung von Cloud-Diensten
  • IKT-Bereitschaft fĂĽr Business Continuity, WiederherstellungsmaĂźnahmen
  • Physische SicherheitsĂĽberwachung, Einbruchalarmierung
  • Anonymisierung, Pseudonymisierung von Daten
  • Verhinderung von Datenlecks
  • Proaktives Monitoring von abweichenden Aktivitäten
  • Webfilterung, Entfernen gefährlicher Internetseiten, die Malware verbreiten
  • Sicheres Coding, Beseitigung von Schwachstellen fĂĽr Angriffe
  • Konfigurationsmanagement mit korrekten Einstellungen der SicherheitsmaĂźnahmen
  • Löschung von Informationen in Ăśbereinstimmung mit DSGVO und GDPR

Fazit

Mit fortschreitender digitaler Vernetzung und Automatisierung nehmen die Gefahren durch manipulierte oder abfließende Daten rasant zu. Das integrierte Informationssicherheits-Managementsystem nach ISO/IEC 27001:2022 ist in disruptiven Zeiten vor allem deshalb ein robustes Konzept, weil technische und organisatorische Maßnahmen ineinandergreifen. Unternehmen, die mit einem ISMS ihre Prozesse systematisch auf die Cyber-Risiken im gesamten Unternehmens- und Lieferkontext ausrichten und fortlaufend überprüfen, bauen dauerhaft ihre Widerstandsfähigkeit aus. Der Zertifizierungsprozess macht dann die internen Anstrengungen hinsichtlich interner Prozesse zum Umgang mit Cyber-Gefahren nach außen hin sichtbar.
Show all articles