🗳️ Vote for us on PodRadar Security Theatre Exposed — Passkeys, the CISA Leak & Your Cyber Insurance Vote now →
ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change For Real

Compliance & Certification

ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change For Real

By Noel Bradford ·

It’s Time to Stop Pretending This Is Fine

If you’ve read Parts 1 and 2 by now, you’ve seen the pattern. The logos change, but the failure is always the same.

Policies without enforcement. Certificates without coverage. Budgets that favour image over impact.

And the industry? Still nodding along like this is just part of the game.

Enough.

We must stop pretending that ISO27001, SOC 2, and other governance frameworks are good enough in isolation. They’re not. Not now, not with ransomware gangs automating exploitation, not with state-backed actors hiding in plain sight, not with SMEs and schools being hit harder than ever before.

We don’t need more paperwork. We need a defensive foundation baked into the governance structure.

Governance Is Only Half the Story

Governance is essential; there’s no argument there. Without structure, oversight, or accountability, security falls apart. But governance isn’t security in itself; it’s the scaffolding. The real substance comes from what you bolt to it.

And right now, too many organisations are bolting on air.

SOC 2 attestation that doesn’t check your patching works? Useless. ISO27001 certification that ignores what’s running on the endpoints? Dangerous. Vendor assessments that ask for a PDF and not proof? Negligent.

We’ve collectively spent a decade or more building a house of cyber cards. Then we’re shocked when the wind blows it down.

Cyber Essentials Needs to Be Mandatory

Let’s be blunt: if your business is ISO27001 certified and you don’t pass Cyber Essentials Plus, you’ve failed. Maybe not in the eyes of your auditor, but in the eyes of your customers, users, insurers, and attackers.

Cyber Essentials Plus isn’t overkill. It’s not even adequate in all cases. But the minimum standard of technical control proves you’re actually doing something beyond boardroom lip service.

It checks whether you patch, restrict admin access, run antivirus and firewalls, and harden your systems.

These aren’t luxuries. These are basics. If you can’t pass CE+, what are you even securing?

SOC 2 Needs a Backbone

SOC 2 has value if done right. But right now? It’s a flexible framework where you define controls and test promises.

Let’s be honest: we’ve let SOC 2 become reputation theatre.

A real SOC 2 Type II assessment should include a hard requirement for CE+ or equivalent technical controls, Mandatory security tooling on all endpoints in scope, Real-time validation of patching and malware coverage, and Supply chain cyber assurance thresholds.

Not “we promise to care” statements. Not “management asserts” fluff.

Make it mean something. Or stop waving it around.

Procurement Teams Need to Wake Up

You know what’s worse than being breached? Being breached by a supplier you didn’t check.

Procurement must stop accepting ISO27001 certs via PDF and SOC 2 summaries as proof of security. Ask to see the CE+ certificate, ask when it was last tested, ask what controls were found lacking and ask if the company can prove it is compliant at any time outside the actual CE+ auditor’s checks.

If they don’t have CE+? Either help them get it or walk away.

The entire UK public sector supply chain now lives under this shadow: education, healthcare, and local government. And if you’re still pretending that governance equals protection, you are complicit in that risk.

Insurance Should Incentivise CE+

Cyber insurance providers need to stop underwriting organisations that fail the basics. If you won’t mandate CE+, then charge a lot more.

Insurers should: Demand ongoing CE+ certification for renewal, require live evidence of endpoint compliance refuse to pay out on breaches involving known, preventable vulnerabilities

Because let’s be honest: you wouldn’t insure a factory that refuses to install a fire alarm.

So why are we still insuring businesses that can’t show they’ve patched?

Make This the Year of Enforcement

Of course, the NCSC backs Cyber Essentials as it is their standard, their baby. The Dfe is making it mandatory for Further Education institutions and schools, and the NHS is embedding it into service contracts. It’s time the rest of the UK organisations followed suit.

Whether you’re ISO27001 certified or planning your next SOC 2 audit, ask yourself this:

If we did a CE+ audit right now, would we pass?

If the answer is no, what is your security strategy based on?

Because governance without defence isn’t strategy. It’s exposure. It’s liability. It’s negligence.

And it’s going to get someone fired.

Closing Thought

This isn’t just about Cyber Essentials. It’s about accountability. It’s about finally admitting that a piece of paper doesn’t stop an attacker.

You want real security? Then prove it. In the test. In practice. In an audit.

Until then, save the certificate waving. The ransomware doesn’t care.

Sources

SourceArticle
NCSCCyber Essentials Overview
IASME ConsortiumCyber Essentials Certification
ISO.orgISO/IEC 27001:2022 Standard
IT GovernanceISO 27001 vs Cyber Essentials
CSO OnlineWhat is SOC 2 Compliance?
Infosecurity MagazineUK Cybersecurity Boards Ignorant of Basics
GOV.UKCyber Essentials Requirements for Education
National Audit OfficeCyber and Information Security: UK Public Sector
Harvard Business ReviewBoards Are Responsible for Cybersecurity
Cyber Essentials for EducationCE+ for Schools and Colleges

Filed under

  • iso27001
  • cyber-essentials
  • compliance-comparison
  • uk-standards
  • certification-choices
  • uk-smb-compliance
  • security-frameworks
  • smb-security