ISO27001 vs Cyber Essentials (Part 3/3): What Needs to Change For Real
It’s Time to Stop Pretending This Is Fine
If you've read Parts 1 and 2 by now, you’ve seen the pattern. The logos change, but the failure is always the same.
Policies without enforcement. Certificates without coverage. Budgets that favour image over impact.
And the industry? Still nodding along like this is just part of the game.
Enough.
We must stop pretending that ISO27001, SOC 2, and other governance frameworks are good enough in isolation. They’re not. Not now, not with ransomware gangs automating exploitation, not with state-backed actors hiding in plain sight, not with SMEs and schools being hit harder than ever before.
We don’t need more paperwork. We need a defensive foundation baked into the governance structure.
Governance Is Only Half the Story
Governance is essential; there's no argument there. Without structure, oversight, or accountability, security falls apart. But governance isn’t security in itself; it's the scaffolding. The real substance comes from what you bolt to it.
And right now, too many organisations are bolting on air.
SOC 2 attestation that doesn’t check your patching works? Useless. ISO27001 certification that ignores what’s running on the endpoints? Dangerous. Vendor assessments that ask for a PDF and not proof? Negligent.
We’ve collectively spent a decade or more building a house of cyber cards. Then we’re shocked when the wind blows it down.
Cyber Essentials Needs to Be Mandatory
Let’s be blunt: if your business is ISO27001 certified and you don’t pass Cyber Essentials Plus, you’ve failed. Maybe not in the eyes of your auditor, but in the eyes of your customers, users, insurers, and attackers.
Cyber Essentials Plus isn’t overkill. It’s not even adequate in all cases. But the minimum standard of technical control proves you’re actually doing something beyond boardroom lip service.
It checks whether you patch, restrict admin access, run antivirus and firewalls, and harden your systems.
These aren’t luxuries. These are basics. If you can’t pass CE+, what are you even securing?
SOC 2 Needs a Backbone
SOC 2 has value if done right. But right now? It’s a flexible framework where you define controls and test promises.
Let’s be honest: we’ve let SOC 2 become reputation theatre.
A real SOC 2 Type II assessment should include a hard requirement for CE+ or equivalent technical controls, Mandatory security tooling on all endpoints in scope, Real-time validation of patching and malware coverage, and Supply chain cyber assurance thresholds.
Not “we promise to care” statements. Not “management asserts” fluff.
Make it mean something. Or stop waving it around.
Procurement Teams Need to Wake Up
You know what’s worse than being breached? Being breached by a supplier you didn’t check.
Procurement must stop accepting ISO27001 certs via PDF and SOC 2 summaries as proof of security. Ask to see the CE+ certificate, ask when it was last tested, ask what controls were found lacking and ask if the company can prove it is compliant at any time outside the actual CE+ auditor’s checks.
If they don’t have CE+? Either help them get it or walk away.
The entire UK public sector supply chain now lives under this shadow: education, healthcare, and local government. And if you’re still pretending that governance equals protection, you are complicit in that risk.
Insurance Should Incentivise CE+
Cyber insurance providers need to stop underwriting organisations that fail the basics. If you won’t mandate CE+, then charge a lot more.
Insurers should: Demand ongoing CE+ certification for renewal, require live evidence of endpoint compliance refuse to pay out on breaches involving known, preventable vulnerabilities
Because let’s be honest: you wouldn’t insure a factory that refuses to install a fire alarm.
So why are we still insuring businesses that can’t show they've patched?
Make This the Year of Enforcement
Of course, the NCSC backs Cyber Essentials as it is their standard, their baby. The Dfe is making it mandatory for Further Education institutions and schools, and the NHS is embedding it into service contracts. It’s time the rest of the UK organisations followed suit.
Whether you’re ISO27001 certified or planning your next SOC 2 audit, ask yourself this:
If we did a CE+ audit right now, would we pass?
If the answer is no, what is your security strategy based on?
Because governance without defence isn’t strategy. It’s exposure. It’s liability. It’s negligence.
And it’s going to get someone fired.
Closing Thought
This isn’t just about Cyber Essentials. It’s about accountability. It’s about finally admitting that a piece of paper doesn’t stop an attacker.
You want real security? Then prove it. In the test. In practice. In an audit.
Until then, save the certificate waving. The ransomware doesn’t care.
Source | Article |
---|---|
NCSC | Cyber Essentials Overview |
IASME Consortium | Cyber Essentials Certification |
ISO.org | ISO/IEC 27001:2022 Standard |
IT Governance | ISO 27001 vs Cyber Essentials |
CSO Online | What is SOC 2 Compliance? |
Infosecurity Magazine | UK Cybersecurity Boards Ignorant of Basics |
GOV.UK | Cyber Essentials Requirements for Education |
National Audit Office | Cyber and Information Security: UK Public Sector |
Harvard Business Review | Boards Are Responsible for Cybersecurity |
Cyber Essentials for Education | CE+ for Schools and Colleges |