Phone us
Compliance with recognised cyber security standards is an important part of managing risk, but it should not be mistaken for complete protection. This article looks at why compliance alone will not stop a cyber attack, and why organisations need to treat certification as the foundation of an ongoing security programme.

Cyber Essentials and Cyber Essentials Plus remain highly valuable frameworks for helping organisations reduce exposure to common cyber threats. The issue is not with certification itself, but with treating certification as the end point rather than the starting point for ongoing cyber resilience.

For many organisations, achieving compliance with a cybersecurity standard represents a major investment of time, money, and effort. Whether it is ISO 27001 certification, Cyber Essentials/Cyber Essentials Plus, or meeting sector-specific regulatory requirements, compliance demonstrates a commitment to protecting information and managing risk.

However, one of the most persistent misconceptions in cybersecurity is that compliance and security are interchangeable. They are not.

Over the past few years, organisations holding recognised security certifications have continued to suffer ransomware attacks, supply chain compromises, and data breaches. These incidents rarely occur because compliance frameworks have failed. More often, they happen because organisations mistake compliance for a finished product, rather than viewing it as the foundation of an ongoing security programme.

Boards should therefore ask a different question. Instead of asking, “Are we compliant?”, they should be asking, “Are we genuinely resilient against today’s threats?”

Compliance Measures a Point in Time

Most recognised standards and regulatory frameworks are designed to demonstrate that an organisation has implemented appropriate governance, policies, and technical controls. That is an important objective.

Standards such as ISO 27001 encourage organisations to establish an Information Security Management System (ISMS), assess risk systematically, and continually improve their security posture. Likewise, Cyber Essentials provides a government-backed baseline of technical controls that significantly reduce exposure to common attacks.

However, certification does not mean every system remains securely configured indefinitely. Nor does it guarantee that new vulnerabilities will be patched immediately, suppliers will maintain equivalent security standards, or employees will never fall victim to increasingly sophisticated phishing campaigns.

Technology changes daily. Attackers evolve continuously. Compliance assessments, by comparison, are periodic. The gap between these two realities is where many successful cyber attacks occur.

Today’s Threat Landscape Moves Faster Than Audit Cycles

Cybercriminals are no longer relying solely on opportunistic attacks. Many now exploit newly disclosed vulnerabilities within hours or days of public disclosure, while ransomware groups increasingly operate as highly organised criminal enterprises with specialist affiliates responsible for initial access, data theft, and extortion.

Artificial intelligence has accelerated this trend further. Convincing phishing emails, cloned voices, and realistic video impersonations are becoming easier to produce, lowering the technical barrier for attackers, while also increasing the likelihood of successful social engineering.

A business that successfully completed an external audit several months ago may therefore still face significant risk if vulnerabilities remain unpatched, privileged accounts are poorly managed, or employees have not been prepared for emerging attack techniques.

Compliance frameworks encourage good practice, but they cannot anticipate every new threat.

Security Is About Continuous Risk Management

The strongest organisations view compliance as evidence that good security practices exist, not proof that security is complete. This means moving beyond annual reviews and adopting continuous oversight of cyber risk.

Effective security programmes typically include regular vulnerability management, timely patching, continuous monitoring of critical systems, supplier assurance activities, security awareness training, and tested incident response procedures. These activities evolve as new risks emerge, rather than waiting until the next certification cycle.

The UK’s National Cyber Security Centre (NCSC) consistently promotes this approach through its guidance on mitigating malware and ransomware, emphasising ongoing vulnerability management, effective access controls, security monitoring, and regularly tested incident response capabilities, rather than one-off compliance exercises.

People and Processes Remain the Greatest Variable

Many of the most damaging cyber incidents do not begin with sophisticated malware; they begin with people.

An employee approves a fraudulent payment after receiving a convincing AI-generated phone call. A supplier’s compromised credentials provide attackers with trusted access. A system administrator delays applying a critical security update because of operational pressures.

None of these situations necessarily indicate that an organisation has failed its compliance obligations. Instead, they demonstrate that cybersecurity depends on people, processes, and decision-making as much as technical controls.

Boards should therefore consider whether security awareness training reflects today’s threats, whether incident response plans have been exercised recently, and whether key business decisions routinely include cybersecurity considerations.

These questions provide a far better indication of organisational resilience than certification status alone.

Compliance Should Enable Better Security, Not Replace It

One of the greatest strengths of recognised frameworks is that they provide structure. ISO 27001 encourages organisations to identify risks, assign ownership, establish governance, and embed continual improvement. Cyber Essentials and Cyber Essentials Plus establish a strong technical baseline that reduces exposure to common attacks and helps organisations demonstrate that key controls are in place.

Neither framework claims to eliminate cyber risk. In fact, both implicitly recognise that security is an ongoing process requiring regular review, adaptation, and improvement.

When organisations treat certification as the finish line, investment often slows immediately after the audit. Security programmes become reactive rather than proactive, with improvements driven primarily by the next assessment, rather than changes in the threat landscape.

Conversely, organisations that use compliance as a framework for continuous improvement tend to mature their security capability over time, making future compliance exercises easier, while also strengthening their resilience against real-world attacks.

What Boards Should Be Asking Instead

Cybersecurity discussions at board level often begin with questions about certification and regulatory compliance. Those remain important, particularly when demonstrating due diligence to customers, regulators, and insurers.

However, leaders should broaden the conversation by asking questions such as:

  • If a ransomware attack occurred tomorrow, how confident are we that we could recover critical services within a reasonable time?
  • How quickly do we identify and remediate critical vulnerabilities?
  • Have we recently tested our incident response and business continuity plans?
  • How are we managing cybersecurity risks introduced by suppliers and third parties?
  • Are our employees prepared to recognise today’s increasingly sophisticated phishing and social engineering attacks?

These discussions shift the focus from compliance reporting towards operational resilience, which is ultimately what stakeholders, regulators, and customers expect.

Building Security Beyond Compliance

Compliance remains an essential component of modern cybersecurity governance. It demonstrates accountability, establishes consistent controls, and provides assurance to customers, regulators, and business partners.

But compliance alone has never guaranteed security.

True cyber resilience comes from maintaining visibility of evolving risks, responding quickly to new threats, and embedding security into everyday business operations. Organisations that recognise this distinction are better positioned not only to achieve certification, but also to withstand the attacks that inevitably target them.

For boards, the objective should not simply be passing the next audit. It should be ensuring that compliance serves as the starting point for a mature, continually improving security programme that protects the organisation long after the certificate has been issued.

How AJC Can Help

AJC helps organisations use recognised standards such as Cyber Essentials, Cyber Essentials Plus, and ISO 27001 as a practical foundation for stronger cyber resilience.

Our team works with clients to understand their current security posture, identify practical areas for improvement, and strengthen the controls, processes, and behaviours that support long-term resilience.

We support organisations with Cyber Essentials and Cyber Essentials Plus certification, ISO 27001 readiness, vulnerability assessments, penetration testing, incident response planning, and wider cyber risk management. By combining compliance expertise with practical security experience, AJC helps organisations move beyond certification and build security programmes that continue to adapt as threats evolve.

Whether you are preparing for certification, reviewing your existing arrangements, or looking to strengthen your organisation’s resilience, AJC can help you take a structured and practical approach to cybersecurity.

Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.

Sources:

https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/ransomware-and-data-protection-compliance/

https://www.ncsc.gov.uk/collection/10-steps

https://www.ncsc.gov.uk/collection/board-toolkit

https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025

Image accreditation: Getty Images (December 2024) from Unsplash.com+. Last accessed on 8 July 2026. Available at:
https://unsplash.com/photos/digital-security-and-privacy-background-cyber-and-crypto-security-shield-on-futuristic-screen-technology-background-02LFRDKL6Hg

In case you missed it...

google chrome vulnerability
What the Latest Google Chrome Vulnerability...

Security updates are only effective if organisations can confirm they have been applied. This article looks at what the latest...

Read More
Dashlane Password Vault Incident
What Businesses Can Learn from the...

A recent Dashlane security incident has raised important questions about password managers, master passwords and authentication controls. This article looks...

Read More
natasha cummings
Meet Natasha Cummings, Risk and Fraud...

In this series, we introduce the people behind AJC and the experience they bring to the business. In this profile,...

Read More

Get in touch

    By submitting this form you are consenting that your data be handled in accordance with our Privacy Notice and we will be in touch regarding your enquiry.