Win 1 year's access to Information Security E-Learning at our 50th Cyberzone(register)
I'd like to share with you my analysis of a subject that is the subject of much debate. For several years now, I've been explaining that ISO 27001 certification is about to become mandatory, a point often misunderstood by companies and cybersecurity players alike.
There's no denying the growing interest in ISO 27001 certification. However, interest does not necessarily mean obligation. So why talk about obligation?
It's essential to understand that this obligation does not affect all economic players in the same way. I'd like to reassure my butcher and my baker: they can carry on with their business without worrying, because this doesn't affect them (at least, not directly).
The ISO 27001 certification requirement will initially focus on small and medium-sized businesses operating in a B-to-B environment, whose activity involves the management of information or services. This represents a large part of the economy, although it excludes the primary sector. Industry, particularly with the spread of automation, will be a notable area of interest. What's more, in a number of sectors, this certification has already become a regulatory requirement, which we will examine in detail.
However, it is crucial to distinguish between a regulatory obligation, imposed by laws or regulations, and a market obligation, which derives from the expectations and requirements of business partners or customers. Thus, even if certification is not legally required, it may be made mandatory by market dynamics and the need for companies to remain competitive.
In this article, I offer you an in-depth analysis of this trend. Of course, you don't have to agree with my conclusions; it's precisely the diversity of opinions that enriches this debate on a subject that is both complex and constantly evolving.
In today's digital landscape, it's essential to understand that SaaS (Software as a Service) solutions are no longer just another option: they're becoming the unavoidable norm for businesses. Whether for human resources management, accounting, marketing or any other aspect of a company's business, SaaS solutions are becoming the backbone of today's IT systems.
As this transformation becomes more widespread, the issue of ISO 27001 certification becomes even more crucial.
Today, offering a high-performance, innovative SaaS solution is no longer enough to ensure long-term growth and prosperity. Without ISO 27001 certification, a company risks not only compromising its credibility, but also closing the door on growth opportunities in promising markets.
Indeed, 27001 is no longer simply a competitive advantage. It has become a must for any SaaS company wishing to assert a serious and sustainable development strategy.
As we're currently seeing on the market, it's impossible to market an uncertified SaaS solution.
This phenomenon, far from abating, is set to strengthen considerably over the next ten years. ISO 27001 certification will gradually become an essential requirement, not only for SaaS providers, but also for PaaS (Platform as a Service) andIaaS (Infrastructure as a Service) providers... In other words, all solutions accessible via the Internet, whether online platforms, infrastructures or software services, will be subject to this growing requirement for compliance with security standards.
In conclusion, it's reasonable to expect ISO 27001 certification to become an unavoidable requirement for the entire online digital sector. Particularly for companies with solid ambitions. This is not just a projection. It's a reality that's already happening, and one that will become increasingly important as dependency on online solutions grows. Compliance with this standard will become an essential guarantee of confidence, and an indispensable prerequisite. It will enable us to remain competitive in an increasingly demanding market in terms of information security.
Although ISO 27001 certification is becoming a market standard for many companies, it is already a regulatory requirement in several strategic sectors. These sectors, often linked to sensitive data or critical infrastructures, impose this certification as a prerequisite for operating in full compliance.
One of the most convincing examples is the healthcare sector. Here, ISO 27001 certification is directly integrated with HDS certification (Health Data Hosting) certification. This certification is mandatory for all companies managing healthcare data. These may be mutualized hospital services, laboratories or suppliers of digital solutions in the medical or healthcare field.
ISO 27001 is essential to guarantee the security and confidentiality of personal healthcare data. This data is particularly sensitive, and is subject to strict regulations.
Another sector where ISO 27001 certification has become mandatory is e-billing. With the introduction of the PDP (Platform for Partner Dematerialization) program, companies providing e-billing services must comply with stringent security requirements, including ISO 27001 certification. This standard guarantees that billing data, which is often sensitive and confidential, is protected against security risks such as data leakage or cyber-attacks.
These examples illustrate that ISO 27001 is not just a certification increasingly demanded by the market, but is already a regulatory requirement in certain critical sectors. Because of the nature of the data they handle and the importance of the services they offer, these sectors cannot afford any weaknesses in information security. ISO 27001 certification not only demonstrates compliance with legal and regulatory requirements, but also optimum data protection and methodical risk management .
In conclusion, although the ISO 27001 certification requirement is becoming more widespread. Some sectors, such as healthcare and e-billing, are already subject to this regulatory requirement. This trend could well spread to other sectors as regulators become more aware of the crucial importance of information security.
Although ISO 27001 certification is not always explicitly mentioned in regulatory texts, in reality it permeates many business sectors, whether through regulations or market trends.
This standard has become a reference, directly or indirectly, for guaranteeing information security in increasingly digital and connected environments. Here are a few concrete examples illustrating just how presentISO 27001 is. This may be under other names, but with similar requirements.
Take the automotive sector, which requires suppliers and partners to comply with the TISAX (Trusted Information Security Assessment Exchange) standard. Although TISAX is not strictly equivalent toISO 27001, it is strongly inspired by it, and uses it as the basis for assessing information security within automotive companies. This shows that, even under a different name, the spirit and requirements ofISO 27001 are present and influence practices in this sector.
In France, the sensitive data sector is governed by the SecNumCloud standard, a mandatory certification for cloud service providers managing sensitive data for public administrations and strategic enterprises. This standard is largely based on Annex A of ISO 27001, which means that the requirements of this standard are indirectly imposed on any company wishing to obtain SecNumCloud certification .
In addition, several major industrial groups, such as Orange, Renault and EDF, require ISO 27001 certification from their partners and subcontractors. This requirement demonstrates the confidence that these major players place in this standard to ensure a high level of information security throughout their value chain. It also illustrates the impact of ISO 27001 beyond regulatory requirements, by establishing itself as a de facto market standard.
It is interesting to note that governments and legislators, for a variety of reasons - not least the desire to retain control over specific requirements and not delegate entirely to an international standard - are reluctant to refer directly to ISO 27001 in legislation. However, the standard is still the backbone of many regulatory initiatives , providing a framework for information security requirements. Recent regulations, such as DORA (Digital Operational Resilience Act) or NIS 2 (Network and Information Security Directive), although they do not explicitly refer to ISO 27001, come very close to it, especially in terms of organizational and risk management requirements.
In conclusion, whether through industry standards such as TISAX, national standards such as SecNumCloud, or requirements imposed by major groups, ISO 27001 is omnipresent. Even when legislators don't cite it directly, its principles and requirements are behind numerous initiatives and regulations. So it's becoming clear that ISO 27001 plays a central role, directly or indirectly, in securing information systems across a wide range of sectors.
ISO 27001 is becoming increasingly popular with companies seeking to comply with growing information security requirements. Beyond mere compliance, this certification represents a genuine competitive advantage. ISO 27001 enables companies to strengthen the confidence of their partners and customers, while differentiating themselves in an increasingly demanding market.
As an internationally recognized standard, ISO 27001 is now used by many organizations as a first level of assurance in security and risk management. That's why I'm convinced that this certification will become a must-have for small and medium-sized businesses, driven not only by the market, but also by pressure from regulators. Indeed, whether through explicit regulatory requirements or market-imposed standards, ISO 27001 certification is on the way to becoming widespread, making it a must-have for any serious company operating in the digital world.
To find out more, download the ISO 27001 guide for managers.
2025 FeelAgile
