top of page
Search

Stop Treating Security Frameworks as Proof of Safety

Why ISO 27001 and SOC 2 Are No Longer Enough

Abstract image of complex computer systems
Looking beyond the certificate to see how things actually work

There’s a quiet but dangerous assumption creeping into growing technology and regulated organisations:


If we’ve got ISO 27001 and SOC 2, we should be covered.


On paper, that sounds reasonable. In practice, it’s increasingly false — and in some cases, commercially dangerous.


Compliance theatre is becoming a supply-chain risk

Security frameworks were never designed to be proof of safety. They were designed to show how you manage risk. When organisations confuse the two, they often don’t realise there’s a problem until a deal is already on the line.


A real example: certified, but still under forensic scrutiny

Recently, I’ve seen a client with both SOC 2 and ISO 27001 certification asked to undergo a pre-contract third-party risk management forensic audit.


Not a high-level questionnaire.Not a tick-box supplier assurance form.A detailed examination of how controls actually operate day to day.

The customer’s position was clear:

“The certifications tell us you have a framework.We need to understand how you run it.”

That request wasn’t driven by mistrust. It was driven by increased concern about third-party and supply-chain risk — and by the reality that certifications alone no longer provide enough confidence.


This is the gap many organisations don’t realise they’re exposed to.


Compliance theatre is becoming a supply-chain liability

Frameworks like ISO 27001, SOC 2, Cyber Essentials, CAF, and NIST RMF are increasingly being used as entry tickets, not reassurance.


Once you’re inside a commercial conversation, buyers are asking harder questions:

  • How are risk decisions made when controls fail?

  • What evidence exists that controls are operating, not just designed?

  • How do you manage exceptions, pressure, and growth?

  • Who actually owns third-party and supply-chain risk?


A checkbox approach can get you through procurement. It often fails under forensic scrutiny.


And when customers are accountable for their supply chain, they can’t afford to accept surface-level assurance from yours.


Auditors and customers are converging on the same expectation

This shift mirrors what’s already happened in audit standards like ISA 315 and regulatory regimes such as SOX.

The emphasis has moved from:

“Do controls exist?”

to:

“Are risks understood, decisions documented, and controls demonstrably effective in practice?”

Customers are now applying that same logic to suppliers — particularly in regulated, critical, or data-sensitive environments.


If your security posture only works when nobody asks follow-up questions, that’s a problem.


Frameworks only protect you if they reflect reality

Used properly, frameworks such as:

  • ISO 27001

  • SOC 2

  • NIST RMF

  • CAF

  • ETSI EN 303 223

do something extremely valuable: they make risk ownership, trade-offs, and priorities explicit.


Used badly, they create a false sense of safety — one that collapses the moment a customer asks to see how controls actually work under pressure.


That collapse is what turns a “nice-to-have” certification into a fatal commercial flaw.


AI and third-party risk are accelerating this problem

AI governance is exposing weak security governance faster than anything else.


Many organisations claim alignment to NIST AI RMF, while:

  • Using third-party AI tools without clear risk ownership

  • Lacking supplier assurance for AI-enabled services

  • Being unable to explain how AI risk decisions are made or reviewed


When customers start joining the dots between AI use, third-party exposure, and supply-chain risk, superficial assurance won’t survive scrutiny.


The uncomfortable truth

Good security and AI governance is not:

  • Perfect control

  • Zero risk

  • Endless documentation

It is:

  • Defensible judgement

  • Evidence of operation, not intention

  • Proportionate controls that scale with growth

  • Leadership that can explain decisions when challenged


Certifications help. But when customers start looking through them instead of at them, only real governance holds up.


If this feels uncomfortably familiar

If you’re:

  • Certified, but still facing deep client scrutiny

  • Being asked to evidence control operation, not just design

  • Exposed to third-party or supply-chain risk you can’t clearly articulate

  • Unsure whether your posture would survive a forensic review


That’s not failure — it’s a signal that the market has moved.


A checkbox approach might once have been enough.In today’s environment, it can quietly undermine trust, slow deals, or kill them entirely.


If you want to sense-check whether your current approach would stand up to serious third-party scrutiny before a customer asks, that conversation is far easier to have early.

 
 
 

Comments

bottom of page