What the Latest Google Chrome Vulnerability...
Security updates are only effective if organisations can confirm they have been applied. This article looks at what the latest...
Read MoreCyber Essentials and Cyber Essentials Plus remain highly valuable frameworks for helping organisations reduce exposure to common cyber threats. The issue is not with certification itself, but with treating certification as the end point rather than the starting point for ongoing cyber resilience.
For many organisations, achieving compliance with a cybersecurity standard represents a major investment of time, money, and effort. Whether it is ISO 27001 certification, Cyber Essentials/Cyber Essentials Plus, or meeting sector-specific regulatory requirements, compliance demonstrates a commitment to protecting information and managing risk.
However, one of the most persistent misconceptions in cybersecurity is that compliance and security are interchangeable. They are not.
Over the past few years, organisations holding recognised security certifications have continued to suffer ransomware attacks, supply chain compromises, and data breaches. These incidents rarely occur because compliance frameworks have failed. More often, they happen because organisations mistake compliance for a finished product, rather than viewing it as the foundation of an ongoing security programme.
Boards should therefore ask a different question. Instead of asking, “Are we compliant?”, they should be asking, “Are we genuinely resilient against today’s threats?”
Most recognised standards and regulatory frameworks are designed to demonstrate that an organisation has implemented appropriate governance, policies, and technical controls. That is an important objective.
Standards such as ISO 27001 encourage organisations to establish an Information Security Management System (ISMS), assess risk systematically, and continually improve their security posture. Likewise, Cyber Essentials provides a government-backed baseline of technical controls that significantly reduce exposure to common attacks.
However, certification does not mean every system remains securely configured indefinitely. Nor does it guarantee that new vulnerabilities will be patched immediately, suppliers will maintain equivalent security standards, or employees will never fall victim to increasingly sophisticated phishing campaigns.
Technology changes daily. Attackers evolve continuously. Compliance assessments, by comparison, are periodic. The gap between these two realities is where many successful cyber attacks occur.
Cybercriminals are no longer relying solely on opportunistic attacks. Many now exploit newly disclosed vulnerabilities within hours or days of public disclosure, while ransomware groups increasingly operate as highly organised criminal enterprises with specialist affiliates responsible for initial access, data theft, and extortion.
Artificial intelligence has accelerated this trend further. Convincing phishing emails, cloned voices, and realistic video impersonations are becoming easier to produce, lowering the technical barrier for attackers, while also increasing the likelihood of successful social engineering.
A business that successfully completed an external audit several months ago may therefore still face significant risk if vulnerabilities remain unpatched, privileged accounts are poorly managed, or employees have not been prepared for emerging attack techniques.
Compliance frameworks encourage good practice, but they cannot anticipate every new threat.
The strongest organisations view compliance as evidence that good security practices exist, not proof that security is complete. This means moving beyond annual reviews and adopting continuous oversight of cyber risk.
Effective security programmes typically include regular vulnerability management, timely patching, continuous monitoring of critical systems, supplier assurance activities, security awareness training, and tested incident response procedures. These activities evolve as new risks emerge, rather than waiting until the next certification cycle.
The UK’s National Cyber Security Centre (NCSC) consistently promotes this approach through its guidance on mitigating malware and ransomware, emphasising ongoing vulnerability management, effective access controls, security monitoring, and regularly tested incident response capabilities, rather than one-off compliance exercises.
Many of the most damaging cyber incidents do not begin with sophisticated malware; they begin with people.
An employee approves a fraudulent payment after receiving a convincing AI-generated phone call. A supplier’s compromised credentials provide attackers with trusted access. A system administrator delays applying a critical security update because of operational pressures.
None of these situations necessarily indicate that an organisation has failed its compliance obligations. Instead, they demonstrate that cybersecurity depends on people, processes, and decision-making as much as technical controls.
Boards should therefore consider whether security awareness training reflects today’s threats, whether incident response plans have been exercised recently, and whether key business decisions routinely include cybersecurity considerations.
These questions provide a far better indication of organisational resilience than certification status alone.
One of the greatest strengths of recognised frameworks is that they provide structure. ISO 27001 encourages organisations to identify risks, assign ownership, establish governance, and embed continual improvement. Cyber Essentials and Cyber Essentials Plus establish a strong technical baseline that reduces exposure to common attacks and helps organisations demonstrate that key controls are in place.
Neither framework claims to eliminate cyber risk. In fact, both implicitly recognise that security is an ongoing process requiring regular review, adaptation, and improvement.
When organisations treat certification as the finish line, investment often slows immediately after the audit. Security programmes become reactive rather than proactive, with improvements driven primarily by the next assessment, rather than changes in the threat landscape.
Conversely, organisations that use compliance as a framework for continuous improvement tend to mature their security capability over time, making future compliance exercises easier, while also strengthening their resilience against real-world attacks.
Cybersecurity discussions at board level often begin with questions about certification and regulatory compliance. Those remain important, particularly when demonstrating due diligence to customers, regulators, and insurers.
However, leaders should broaden the conversation by asking questions such as:
These discussions shift the focus from compliance reporting towards operational resilience, which is ultimately what stakeholders, regulators, and customers expect.
Compliance remains an essential component of modern cybersecurity governance. It demonstrates accountability, establishes consistent controls, and provides assurance to customers, regulators, and business partners.
But compliance alone has never guaranteed security.
True cyber resilience comes from maintaining visibility of evolving risks, responding quickly to new threats, and embedding security into everyday business operations. Organisations that recognise this distinction are better positioned not only to achieve certification, but also to withstand the attacks that inevitably target them.
For boards, the objective should not simply be passing the next audit. It should be ensuring that compliance serves as the starting point for a mature, continually improving security programme that protects the organisation long after the certificate has been issued.
AJC helps organisations use recognised standards such as Cyber Essentials, Cyber Essentials Plus, and ISO 27001 as a practical foundation for stronger cyber resilience.
Our team works with clients to understand their current security posture, identify practical areas for improvement, and strengthen the controls, processes, and behaviours that support long-term resilience.
We support organisations with Cyber Essentials and Cyber Essentials Plus certification, ISO 27001 readiness, vulnerability assessments, penetration testing, incident response planning, and wider cyber risk management. By combining compliance expertise with practical security experience, AJC helps organisations move beyond certification and build security programmes that continue to adapt as threats evolve.
Whether you are preparing for certification, reviewing your existing arrangements, or looking to strengthen your organisation’s resilience, AJC can help you take a structured and practical approach to cybersecurity.
Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.
Sources:
https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
https://www.ncsc.gov.uk/collection/10-steps
https://www.ncsc.gov.uk/collection/board-toolkit
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025
Image accreditation: Getty Images (December 2024) from Unsplash.com+. Last accessed on 8 July 2026. Available at:
https://unsplash.com/photos/digital-security-and-privacy-background-cyber-and-crypto-security-shield-on-futuristic-screen-technology-background-02LFRDKL6Hg
Security updates are only effective if organisations can confirm they have been applied. This article looks at what the latest...
Read MoreA recent Dashlane security incident has raised important questions about password managers, master passwords and authentication controls. This article looks...
Read MoreIn this series, we introduce the people behind AJC and the experience they bring to the business. In this profile,...
Read More