ISO27001 vs Cyber Essentials (Part 2/3):Big Names, Big Certs, Big Breaches: The Truth Behind the Logos

Let’s Talk About Trust and How It’s Been Misplaced

Following on from Part 1 of this series, we live in a world where trust is sold by the badge. ISO27001 certified? It must be secure. SOC 2 attested? It must be locked down. The logo goes on the website, the PDF gets attached to proposals, and everyone breathes easier.

Until, of course, the breach hits. The ransomware note lands. The regulator comes knocking. And suddenly, the shiny certificate means nothing at all.

Here’s the uncomfortable truth: You can have all the certifications on the planet and still be dangerously exposed.

And lately, we’ve seen exactly that.

Exhibit A: Capita

Capita is a household name in outsourcing and IT services. You'd expect a fortress of security protocols with contracts across local government, healthcare, pensions, and defence.

Instead, we got a masterclass in what happens when you mistake paperwork for protection.

In 2023, Capita suffered not one but two major breaches. First, Black Basta ransomware tore through internal systems, exfiltrating sensitive data. Then, just weeks later, public AWS S3 buckets were discovered leaking sensitive documents left exposed for years.

ISO27001? Check. SOC 2 style controls? Probably. Basic asset management and access control? Nope.

Cyber Essentials would have enforced firewalling, secure configuration, endpoint monitoring. That’s the difference. ISO told them what to care about. CE would have made them do something about it.

M&S: An Iconic Brand with No Plan

In early 2025, a whistleblower painted a chaotic picture of Marks & Spencer’s cyber incident response. Staff are locked out of the systems. Senior executives are sleeping in offices, confused, paranoid, and silent.

This is a retail giant. They process payments, hold personal data, and operate digital supply chains.

They almost certainly have ISO27001. They probably have SOC 2 for some of their digital platforms. But when it came time to act, to detect, contain, and recover, they couldn’t.

Why? They treated governance as a checkbox exercise and never enforced basic CE-grade protections across the supply chain.

When their supplier was hit, they didn’t have segmentation, lockdown capabilities, or clear incident response playbooks.

Cyber Essentials wouldn’t have saved them from disruption. But it would have minimised the blast radius and the attack surface, and when combined with ISO27001 and SOC 2, it would have helped prevent the internal chaos that now defines their legacy.

Harrods: Luxury Retail, Digital Exposure

April 2025: Harrods suffers a suspected cyberattack. The public-facing website goes dark, and checkout and CRM systems stall. The statement issued is a brief acknowledgement of a containment operation.

Let’s be clear. There’s nothing to contain if nothing has been breached.

Given its brand, prestige, and customer data obligations, Harrods must be ISO27001 certified. PCI-DSS is a given. SOC 2 is likely in play via cloud services.

But documentation doesn’t harden an exposed API, stop misconfigured WAF rules, or block malware from spreading internally.

Cyber Essentials would have flagged insecure perimeter services, forced revalidation of patching processes, and prevented domain-wide admin credentials from being misused.

Instead, the store that sells £70,000 handbags got digitally mugged.

Co-op: Loyalty Can’t Protect the Login Page

May 2025. Co-op Group, a pillar of the British high street, reports issues with its membership platform. Thousands of users are locked out, and there is speculation of unauthorised access. There has been no confirmation. There has been just disruption.

ISO27001? Likely. SOC 2? Almost guaranteed for digital customer platforms. Cyber Essentials? Perhaps in spirit. Certainly not in practice.

If they’d adhered to Cyber Essentials level scrutiny, insecure endpoints would have been tested, public-facing applications would have been checked for configuration drift, and privilege separation would have been enforced.

Instead, a company that prides itself on trust and community let its customers down with silence and downtime.

Zellis, British Airways, Boots: Supply Chain Chaos as a Service

Remember the MOVEit disaster? Zellis, a payroll processor, got hit by a zero-day. In the blast zone? Their clients, including British Airways and Boots, who had their employees’ sensitive data stolen.

All of these organisations had governance frameworks up to their ears: ISO27001, SOC 2, PCI-DSS, and compliance checklists galore.

But when the consequences landed, the real questions emerged: Were patches applied fast enough? Was lateral movement contained? Were outbound transfers restricted?

Cyber Essentials forces you to answer these, even in its basic form. Not in theory. In practice. In the test. In an audit.

And none of these companies passed that real-world test.

Schneider Electric: Even the Titans Fall

Schneider is a global player. Energy. Infrastructure. Automation. Security should be embedded in its DNA.

Instead, they, too, fell victim to the MOVEit supply chain breach. Confidential files were leaked, reputation was dented, and customers were alarmed.

They likely had all the governance in place. ISO. SOC. Frameworks. Declarations.

But if those declarations aren’t coupled with enforced controls like segmentation, access governance, and breach detection, they’re just aspirations.

Cyber Essentials would have made them check real patching schedules, test real firewall policies, and confirm real anti-malware protection.

Instead, another titan fell to a supply chain exploit.

The Pattern Is Brutally Clear

Each of these organisations, with their audit-ready files and accredited certifications, failed where it mattered: basic cyber hygiene.

The kind of hygiene Cyber Essentials is built to enforce. Not theorise. Not recommend. Enforce.

If you still think CE is beneath you, tell the board after your next incident response war room process.

What Comes Next

We’ve seen what happens when trust is misplaced. Now it’s time to talk solutions.

In Part 3, we’ll tackle what needs to happen inside ISO27001, SOC 2, and procurement frameworks and show how Cyber Essentials should become a mandated technical control baseline for suppliers and everyone.

Because governance without security is negligence.

And the next breach is already knocking, so I hope it is not your turn.