Unyielding Vigilance: Cybersecurity Never Takes a Break
Cyber threats are reaching an increasingly critical level in digitally networked supply chains. Protection concepts that span the entire corporate context are becoming urgent. In practice, the Information Security Management System (ISMS) according to ISO/IEC 27001:2022 has proven effective. As of October 31, 2025, all existing certificates must be converted to the current version of the standard.
Disruptions, espionage, and the loss of sensitive data due to cyberattacks were heavily debated risks at the 2025 World Economic Forum in Davos. In particular, information systems in supply chains have become even more vulnerable due to new geopolitical conflicts, trade wars, and hybrid threats. The Global Cybersecurity Report 2025, presented in Davos, also highlights the growing skills gap within companies. Organizations are increasingly lacking the expertise and personnel needed to implement appropriate security measures to address digital complexity and the rising demands within the value chain.
Methods of Cybercriminals
The criticality of skills gaps in organizations is increasing as AI-integrated standard applications for text, image, or data analysis become more widespread. Cybercriminals are able to identify vulnerabilities even more precisely and automatically using AI models, allowing manipulations to spread faster.
For example, supply chain attacks target IT service provider interfaces to infect customer computers within supply chains with malware via maintenance or update services. Such attacks also occurred in the summer of 2024, exploiting the severe consequences of a software glitch. Initially, a faulty update from CrowdStrike, an international cybersecurity service provider, triggered the largest global IT outage to date. Affected parties included airlines, airports, hospitals, major retail chains, and media outlets.
The security gaps and downtime associated with the software glitch immediately led to new cyber threats. In direct response, criminals circulated supposed recovery utilities for the faulty update to infiltrate systems with Trojans via supply chain attacks. According to insurer Parametrix, the financial losses of affected companies in the United States alone amounted to $5.4 billion.
For example, supply chain attacks target IT service provider interfaces to infect customer computers within supply chains with malware via maintenance or update services. Such attacks also occurred in the summer of 2024, exploiting the severe consequences of a software glitch. Initially, a faulty update from CrowdStrike, an international cybersecurity service provider, triggered the largest global IT outage to date. Affected parties included airlines, airports, hospitals, major retail chains, and media outlets.
The security gaps and downtime associated with the software glitch immediately led to new cyber threats. In direct response, criminals circulated supposed recovery utilities for the faulty update to infiltrate systems with Trojans via supply chain attacks. According to insurer Parametrix, the financial losses of affected companies in the United States alone amounted to $5.4 billion.
Cyber Vulnerabilities Are Expanding
According to the Federal Office for Information Security (BSI), around 80 new vulnerabilities in IT systems or software applications were identified daily in 2023, with numbers continuing to rise. Perimeter systems such as firewalls, VPNs, and public cloud infrastructures offer particularly large attack surfaces, according to the BSI’s 2024 report on IT security in Germany. Increasingly, small and medium-sized enterprises are becoming targets of mass extortion attempts after ransomware successfully infiltrates IT systems through technical or organizational security gaps.
Source: BSI (Excerpt), The State of IT Security in Germany 2024
Source: BSI (Excerpt), The State of IT Security in Germany 2024
ISMS as a Holistic Protection Concept
Not only sensitive production data or third-party personal data need protection. The potential for data misuse, such as phishing attacks through falsified communication data, is so varied that individual measures can no longer guarantee lasting protection.
Instead, the entire organizational structure must be involved, covering all processes and responsibilities critical to the business model. A holistic protection concept is provided by the Information Security Management System (ISMS) based on the proven international standard ISO/IEC 27001:2022. By following the principle of continuous improvement, companies can build long-term resilience against cyber threats.
Instead, the entire organizational structure must be involved, covering all processes and responsibilities critical to the business model. A holistic protection concept is provided by the Information Security Management System (ISMS) based on the proven international standard ISO/IEC 27001:2022. By following the principle of continuous improvement, companies can build long-term resilience against cyber threats.
Statement of Applicability
Organizations seeking ISMS certification receive a central management tool in the form of the Statement of Applicability (SoA). It lists the measures taken based on risk analysis (controls) and compares them to the measures from Annex A as a best-practice approach. The SoA is one of the documents that external auditors want to see to get an initial impression.
Another key part of the certification process is the inventory of all critical assets, covering the entire corporate context—production systems, facilities, business processes, and supply relationships. The term "asset" in ISMS is much broader than its tax-related meaning. It encompasses all components and facilities valuable to the company’s business model.
It is clear that neither the SoA nor asset inventory should be managed by just a few people within the organization. Additionally, focusing solely on hardware and software security systems is insufficient. Instead, all primary and secondary assets must be considered, categorized into protection classes according to potential damage and likelihood (risk matrix). Primary assets include key information values such as specific know-how for product or service creation, business relationships, and customer data. Secondary assets derive from the technical infrastructure.
Another key part of the certification process is the inventory of all critical assets, covering the entire corporate context—production systems, facilities, business processes, and supply relationships. The term "asset" in ISMS is much broader than its tax-related meaning. It encompasses all components and facilities valuable to the company’s business model.
It is clear that neither the SoA nor asset inventory should be managed by just a few people within the organization. Additionally, focusing solely on hardware and software security systems is insufficient. Instead, all primary and secondary assets must be considered, categorized into protection classes according to potential damage and likelihood (risk matrix). Primary assets include key information values such as specific know-how for product or service creation, business relationships, and customer data. Secondary assets derive from the technical infrastructure.
Internal Audits Are Essential
Identifying operational data risks, regularly reviewing them, and evaluating the adequacy and effectiveness of implemented measures is a management task that must span the entire organization.
Continuously assessing and adapting hidden security risks (Silent Cyber) within the supply chain is a collective responsibility across all company functions. This work truly begins with internal audits. External auditors assess whether the measures and processes developed can withstand the requirements of a holistic ISMS during the initial certification.
In follow-up surveillance audits after initial certification, it is often observed that while the management system has evolved, after three years, re-certification frequently reveals that protection goals and measures have not been sufficiently evaluated and adapted to current market and customer requirements. Re-certification audits can therefore become complex, especially if the key personnel involved in certification are no longer with the company.
It is essential that companies keep their ISMS up to date throughout the year. This is achievable only through regular internal audits—not just during certification audits. When process landscapes change or new cyber threats emerge, a reassessment of the risk situation must be carried out, and the rules must be adapted and communicated within the organization. The effectiveness of these adjustments is then verified in internal audits. This forward-looking security culture is the foundation of an ISMS.
Continuously assessing and adapting hidden security risks (Silent Cyber) within the supply chain is a collective responsibility across all company functions. This work truly begins with internal audits. External auditors assess whether the measures and processes developed can withstand the requirements of a holistic ISMS during the initial certification.
In follow-up surveillance audits after initial certification, it is often observed that while the management system has evolved, after three years, re-certification frequently reveals that protection goals and measures have not been sufficiently evaluated and adapted to current market and customer requirements. Re-certification audits can therefore become complex, especially if the key personnel involved in certification are no longer with the company.
It is essential that companies keep their ISMS up to date throughout the year. This is achievable only through regular internal audits—not just during certification audits. When process landscapes change or new cyber threats emerge, a reassessment of the risk situation must be carried out, and the rules must be adapted and communicated within the organization. The effectiveness of these adjustments is then verified in internal audits. This forward-looking security culture is the foundation of an ISMS.
Measures for Robust Cybersecurity
What additional security requirements are highlighted in the revised ISO 27001:2022?
The focus is primarily on risk awareness and organizational processes. Annex A of the standard now contains 93 reference measures (previously 114), categorized into organizational, human, physical, and technical aspects. The core principles include confidentiality, integrity, and availability of all information assets, covering data processing, business operations, knowledge management, and employee know-how, as well as securing physical and virtual locations and workplaces.
To respond to new digital developments such as the use of cloud services, the revised standard includes the following measures:
To respond to new digital developments such as the use of cloud services, the revised standard includes the following measures:
With increasing digital networking and automation, the risks posed by manipulated or leaked data are growing rapidly. The integrated ISMS according to ISO/IEC 27001:2022 is particularly robust in disruptive times because it interlocks technical and organizational measures. Companies that systematically align their processes with cyber risks throughout their corporate and supply chain context, and continuously monitor them, will steadily build resilience. The certification process makes the internal efforts to handle cyber risks visible to the outside world.