ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change For Real

It’s Time to Stop Pretending This Is Fine

If you've read Parts 1 and 2 by now, you’ve seen the pattern. The logos change, but the failure is always the same.

Policies without enforcement. Certificates without coverage. Budgets that favour image over impact.

And the industry? Still nodding along like this is just part of the game.

Enough.

We must stop pretending that ISO27001, SOC 2, and other governance frameworks are good enough in isolation. They’re not. Not now, not with ransomware gangs automating exploitation, not with state-backed actors hiding in plain sight, not with SMEs and schools being hit harder than ever before.

We don’t need more paperwork. We need a defensive foundation baked into the governance structure.

Governance Is Only Half the Story

Governance is essential; there's no argument there. Without structure, oversight, or accountability, security falls apart. But governance isn’t security in itself; it's the scaffolding. The real substance comes from what you bolt to it.

And right now, too many organisations are bolting on air.

SOC 2 attestation that doesn’t check your patching works? Useless. ISO27001 certification that ignores what’s running on the endpoints? Dangerous. Vendor assessments that ask for a PDF and not proof? Negligent.

We’ve collectively spent a decade or more building a house of cyber cards. Then we’re shocked when the wind blows it down.

Cyber Essentials Needs to Be Mandatory

Let’s be blunt: if your business is ISO27001 certified and you don’t pass Cyber Essentials Plus, you’ve failed. Maybe not in the eyes of your auditor, but in the eyes of your customers, users, insurers, and attackers.

Cyber Essentials Plus isn’t overkill. It’s not even adequate in all cases. But the minimum standard of technical control proves you’re actually doing something beyond boardroom lip service.

It checks whether you patch, restrict admin access, run antivirus and firewalls, and harden your systems.

These aren’t luxuries. These are basics. If you can’t pass CE+, what are you even securing?

SOC 2 Needs a Backbone

SOC 2 has value if done right. But right now? It’s a flexible framework where you define controls and test promises.

Let’s be honest: we’ve let SOC 2 become reputation theatre.

A real SOC 2 Type II assessment should include a hard requirement for CE+ or equivalent technical controls, Mandatory security tooling on all endpoints in scope, Real-time validation of patching and malware coverage, and Supply chain cyber assurance thresholds.

Not “we promise to care” statements. Not “management asserts” fluff.

Make it mean something. Or stop waving it around.

Procurement Teams Need to Wake Up

You know what’s worse than being breached? Being breached by a supplier you didn’t check.

Procurement must stop accepting ISO27001 certs via PDF and SOC 2 summaries as proof of security. Ask to see the CE+ certificate, ask when it was last tested, ask what controls were found lacking and ask if the company can prove it is compliant at any time outside the actual CE+ auditor’s checks.

If they don’t have CE+? Either help them get it or walk away.

The entire UK public sector supply chain now lives under this shadow: education, healthcare, and local government. And if you’re still pretending that governance equals protection, you are complicit in that risk.

Insurance Should Incentivise CE+

Cyber insurance providers need to stop underwriting organisations that fail the basics. If you won’t mandate CE+, then charge a lot more.

Insurers should: Demand ongoing CE+ certification for renewal, require live evidence of endpoint compliance refuse to pay out on breaches involving known, preventable vulnerabilities

Because let’s be honest: you wouldn’t insure a factory that refuses to install a fire alarm.

So why are we still insuring businesses that can’t show they've patched?

Make This the Year of Enforcement

Of course, the NCSC backs Cyber Essentials as it is their standard, their baby. The Dfe is making it mandatory for Further Education institutions and schools, and the NHS is embedding it into service contracts. It’s time the rest of the UK organisations followed suit.

Whether you’re ISO27001 certified or planning your next SOC 2 audit, ask yourself this:

If we did a CE+ audit right now, would we pass?

If the answer is no, what is your security strategy based on?

Because governance without defence isn’t strategy. It’s exposure. It’s liability. It’s negligence.

And it’s going to get someone fired.

Closing Thought

This isn’t just about Cyber Essentials. It’s about accountability. It’s about finally admitting that a piece of paper doesn’t stop an attacker.

You want real security? Then prove it. In the test. In practice. In an audit.

Until then, save the certificate waving. The ransomware doesn’t care.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous
Previous

Cyber Essentials 2025: The End of Checkbox Theatre

Next
Next

ISO27001 vs Cyber Essentials (Part 2/3):Big Names, Big Certs, Big Breaches: The Truth Behind the Logos