“We are certified and thought our IT was secure” is something we hear again and again in our daily lives when companies have fallen victim to a successful hacker attack. Encrypted systems despite TISAX, ISO 27001, NIS2 or other certificates, how is that possible? In this blog post, we report on our experiences in IT security emergency response and show when certificates can lead to false security. Standards such as ISO and TISAX are recognized guidelines. They are designed to ensure data security and information integrity. This enables companies of all sizes to strengthen the trust of customers and partners. This supposed security comes at a price, because certificates are often expensive and require a great deal of effort. Nevertheless, they say little about a company"s IT security – as our day-to-day experience shows. In some cases, it may even make more sense not to get certified (more on this later).
In the industry, certifications such as ISO or TISAX are considered a seal of quality that sets trustworthy standards for information security and data protection. One of the concrete advantages is that they provide companies with a clear framework within which they can establish and improve their IT security processes. This leads to increased trustworthiness with customers and business partners, who can be sure that their data is being handled in accordance with internationally recognized standards. In addition, these certifications provide a competitive advantage in the market by demonstrating that a company has seriously invested in the security of its information systems. In some industries, such as the automotive industry, access to the market is closely linked to certifications such as TISAX. Large companies and manufacturers often require their suppliers and partners to demonstrate these standards to ensure that sensitive information is protected along the entire supply chain. In addition, certificates provide a structured framework for verifiably integrating and implementing legal requirements , which minimizes the risk of legal consequences.
Implementing and certifying according to ISO 27001 or TISAX is resource-intensive and requires a considerable investment of time, human and financial resources. Especially for smaller companies, the extensive requirements and the necessary documentation can pose a significant challenge. The complexity of these standards does not always make it easy to implement and maintain the necessary processes, which requires additional effort. Even after the initial certification, the company must continuously invest time and resources, as these certifications must be regularly renewed and audited. There is a risk that companies will focus too much on meeting specific requirements instead of taking a holistic approach to IT security. This could lead to a false sense of security, with important aspects not covered by the certification being neglected. What many overlook: Attackers are not interested in certificates. They only need one loophole to penetrate your IT system. ISO 27001 certification confirms that certain processes and controls are in place, but says nothing about their actual effectiveness. This can pose a challenge for outsiders: if, for example, a company assesses the resilience of its suppliers as part of a business continuity management (BCM) system, it could rely on ISO 27001 as a security indicator. In practice, however, even a certified company can be hit by a targeted hacker attack if it has only implemented the requirements superficially or to a limited extent. Certification alone is no guarantee of comprehensive IT security.
We often see a significant difference between certified and non-certified companies among our customers. Why is that? We observe a significantly more pronounced understanding of IT security in almost all ISO 27001-certified customers. This is reflected in better structured processes, clear security guidelines and a proactive approach to possible threats. In addition, we see that managing directors of certified companies have internalized the relevance of IT security for the company and their own personal liability. However, it should be noted that certified companies tend to be larger organizations with more capacity and resources to deal intensively with IT security issues. Larger companies not only have the means to meet the requirements of certification, but often benefit from the fact that they already have a certain IT infrastructure and basic security awareness. ##Conclusion: When is certification worthwhile? In principle, we do not necessarily recommend such certifications. Whether certification is worthwhile depends heavily on the individual company"s goals and requirements. We regularly advise companies on this. Certification such as ISO 27001 or TISAX can definitely offer a competitive advantage, as it strengthens the trust of customers and partners and sends a positive signal in terms of IT security. This can be a decisive factor in gaining an edge over competitors and opening up new business opportunities. However, the necessary investments – both financially and in terms of time – should not be underestimated. In some cases, these resources could also be invested directly in meaningful measures that would provide tangible security benefits. These could include technical measures, pentests and employee training. Ultimately, it"s a matter of weighing up the options: if certification helps to increase market opportunities and generate more sales, it can be a worthwhile investment. If certification is not a voluntary choice, but a necessity in order to be accepted on the market at all, the question often becomes redundant. Nevertheless, we recommend that you additionally consider the topic of IT security despite certification. A holistic approach, such as our IT long-term protection, is needed to prepare your company for hacker attacks in the long term and to react in a targeted manner in the event of successful attacks.
