Does Your ISO 27001 Certificate Mean You’re Secure?
After I published my recent piece on the GCHQ Director’s Bletchley Park lecture, a fellow practitioner left a comment that I’ve been turning over in my head ever since. It’s a question about ISO 27001 certification and what it really proves about security that deserves more than a reply in a LinkedIn thread:
“How many organisations are treating their certification as evidence of security rather than evidence of documented intent?”
It’s a fair question . And the honest answer, from someone who holds the ISO 27001 Lead Auditor qualification and has spent the best part of eighteen years helping organisations build, maintain and audit management systems, is: more than you’d hope.
What ISO 27001 certification actually proves
An ISO 27001 certificate tells the world that your organisation has established an Information Security Management System. It means you’ve identified your information assets, assessed the risks to them, selected controls you believe are proportionate, documented how those controls operate, and submitted all of that to an independent audit by an accredited certification body.
That’s not nothing. It represents genuine effort, and I say that as someone who helps organisations get there. The discipline of building an ISMS forces conversations that wouldn’t otherwise happen. It makes people think about risk in structured terms. It creates accountability where there was none.
But here’s what it doesn’t prove. It doesn’t prove that your people consistently follow the policies you’ve written. It doesn’t prove that your incident response plan works under pressure. It doesn’t prove that your supply chain is secure, only that you have a process for evaluating it. And it certainly doesn’t prove that a skilled, motivated attacker can’t get in.
Certification is evidence that you’ve built a framework and that a third party has checked it meets the standard’s requirements at a point in time. That’s valuable. But it is not the same thing as being secure, and conflating the two is where organisations get into trouble.
The gap I see in practice
In my audit and consultancy work, I see the same pattern repeat. An organisation achieves certification, announces it proudly on LinkedIn, updates the website, and then gradually relaxes. The ISMS becomes something that gets attention in the weeks before a surveillance audit rather than something that shapes daily behaviour. Risk registers go stale. Access reviews slip. New suppliers get onboarded without going through the approval process because “it’s only a small contract” or “we needed to move quickly.”
None of this means the organisation set out to treat certification as a tick-box exercise. Most of the people I work with care about security and want to do it properly. The problem is structural. Once you’ve achieved certification, the external pressure eases. The next audit is months away. Other priorities crowd in. And unless the management system is genuinely embedded in how the organisation operates, it drifts.
This is exactly why the GCHQ Director’s emphasis on fundamentals mattered so much. Anne Keast-Butler wasn’t talking about sophisticated zero-day exploits or nation-state tooling when she addressed the private sector. She was talking about basic cyber hygiene, the kind of measures that most certified organisations would claim to have in place. The question is whether they’re actually working.
When certification becomes counterproductive
There’s a version of this problem that’s more insidious than simple drift. It’s what happens when the certificate itself starts to function as a substitute for critical thinking about risk.
I’ve seen it in procurement, where a buyer accepts an ISO 27001 certificate from a supplier and treats it as the end of the due diligence conversation rather than the start. I’ve seen it in boardrooms, where the annual management review becomes a reassurance exercise rather than a genuine challenge to the organisation’s security posture. And you see it in the wider commentary after major incidents, too: the instinctive reaction that a breach “shouldn’t have happened” because the organisation or its suppliers held the right certifications. That reaction tells you everything about how the certificate is being understood.
The M&S cyber attack is worth considering through this lens. There’s no public evidence that M&S itself held ISO 27001 certification, but that’s almost beside the point. A retailer of that scale relies on major technology suppliers — the Microsofts, the AWS platforms — who hold certifications coming out of their ears. The supply chain was stacked with assurance. And yet the attackers attributed to Scattered Spider reportedly didn’t break through sophisticated technical defences at all. M&S’s own chairman confirmed that they impersonated an employee, called the third-party IT service desk, and got a password reset. Social engineering, aimed at a human being doing their job on a helpline, bypassed whatever controls were documented in whatever management systems were in place. Online sales were suspended for over six weeks. The financial impact ran into hundreds of millions of pounds. All of that certified, audited, documented infrastructure across the supply chain, and the way in was a phone call.
So what should certification mean?
I am not arguing against ISO 27001. I help organisations achieve and maintain it because I believe in the framework. A well-implemented ISMS gives you structure, visibility, and a common language for talking about information security risk across the business. It creates a baseline that most organisations would not reach without it.
But we need to be more honest about what that baseline represents. Certification means you have documented intent, verified systems, and a cycle of review and improvement. It does not mean you are secure in any absolute sense, and pretending otherwise does a disservice to the standard itself.
And if you’re on the other side of that relationship — evaluating a supplier, onboarding a partner, signing off on a new platform — and you’re satisfied when they present an ISO 27001 certificate as evidence that your data will be safe, then you haven’t asked the right questions yet. The certificate tells you they’ve built a management system. It doesn’t tell you how their people behave, how the organisation responds when something goes wrong, how often they test their assumptions, or whether their leadership treats information security as an operational reality rather than a compliance obligation. Those are the questions that matter, and a certificate on its own doesn’t answer any of them.
The GCHQ Director made the point clearly enough: cyber security is a critical priority for all businesses, and the basics matter more than ever. A certificate that says you’ve designed a management system is a starting point. It was never meant to be the finish line.
