(Moved from old site. Originally posted 26 June 2025)

Introduction
Across the UK, and globally, organisations increasingly pursue certifications such as ISO/IEC 27001 and Cyber Essentials as visible signals of trust. In theory, that is sensible. Buyers want assurance, regulators want consistency, and boards want a measurable story about risk. In practice, certifications can accidentally reward the wrong behaviour: doing just enough to pass an assessment, then stopping.

This is where “tick-box tooling” creeps in. A SIEM, EDR, or XDR platform gets purchased, a few log sources get connected, a policy gets written, and everyone relaxes. The tool becomes a symbol of security, not an engine of detection. Real security might improve as a side effect, but it is not guaranteed.

This article argues for a sharper distinction: certification can demonstrate that a management system exists, but it does not automatically prove that monitoring, detection, and response are effective day to day. The gap between those two ideas is where the illusion of compliance lives.

The certification landscape, what these schemes actually measure
Two common schemes illustrate the problem clearly.

ISO/IEC 27001
ISO/IEC 27001 is an international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) (International Organization for Standardization, 2022). It is designed to be risk-based. Organisations define scope, assess risk, select controls, and demonstrate that the system is operating and improving (International Organization for Standardization, 2022). Guidance and implementation material commonly emphasise that controls can be managerial, technical, procedural, or organisational, including the use of tools and technologies, but selected based on risk and context (BSI Group, n.d.).

Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is a UK government backed scheme aimed at reducing exposure to common attacks by requiring basic technical controls. The requirements are structured around five control themes, firewalls, secure configuration, security update management, user access control, and malware protection (National Cyber Security Centre, 2025a). Cyber Essentials Plus adds independent testing against those technical requirements and aims for consistent outcomes across certification bodies (National Cyber Security Centre, 2025b).

Here is the key point, neither scheme is designed to certify that you run a capable SOC, or that your SIEM detections catch modern attacker behaviour. Cyber Essentials is a baseline, and its requirements focus on core hygiene rather than monitoring operations (National Cyber Security Centre, 2025a). ISO/IEC 27001 is broader, but it certifies the ISMS and its effectiveness, not a particular security tool stack (International Organization for Standardization, 2022).

Why “tool presence” becomes confused with “tool effectiveness”
Security tooling is easy to procure and easy to demonstrate. Effectiveness is harder.

Procurement creates artefacts, licenses, invoices, architecture diagrams, screenshots, vendor dashboards. Those are all “evidence shaped”. Operational capability creates messier artefacts, alert triage records, tuning decisions, false positive suppression notes, incident timelines, post incident reviews, tabletop outputs, purple team findings. That evidence exists only if people are actually doing the work.

This matters because certification audits and assessments, by necessity, use sampling and evidence collection. Management system certification relies on audit programmes, staged audits, surveillance activity, and objective evidence against requirements, it is not a full technical validation of every control, every day (International Organization for Standardization and International Electrotechnical Commission, 2015). Even within ISMS certification specifically, standards exist to ensure certification bodies operate competently and impartially, but they still work through planned audit programmes and evidence gathering, not continuous operational monitoring (International Organization for Standardization, 2024; Chartered Quality Institute, 2024).

So it becomes possible, in the real world, for an organisation to demonstrate that “monitoring exists” in documentation, while the actual monitoring function is weak, under-resourced, or effectively dormant.

Where ISO 27001 can be interpreted too narrowly
ISO/IEC 27001 expects an organisation to evaluate performance and improve the ISMS (International Organization for Standardization, 2022). In practice, “continual improvement” can degrade into “continual paperwork”. Policies get updated, risk registers get refreshed, and audit findings get closed, but operational detection quality may not improve.

A particularly common pinch point is logging and monitoring. Many organisations map logging and monitoring to Annex A aligned controls such as Logging and Monitoring activities, often using ISO/IEC 27002 guidance. Control descriptions and common interpretations emphasise that logging should be planned, protected, reviewed, and used to support detection and investigation, not simply collected (ISMS.online, n.d.; Advisera, n.d.). If the organisation treats “we ingest logs” as the finish line, the spirit of the control is missed.

Where Cyber Essentials can be misunderstood
Cyber Essentials is intentionally focused on basic controls that block a large proportion of common attacks. That focus is valuable, but it is not the same as security monitoring maturity.

The requirements document describes the five control themes, but it does not introduce a dedicated requirement for centralised logging, correlation, detection engineering, or incident response operations (National Cyber Security Centre, 2025a). Cyber Essentials Plus strengthens assurance by requiring independent testing and by aiming for consistent outcomes regardless of certification body, but it remains scoped to Cyber Essentials requirements (National Cyber Security Centre, 2025b).

There is also a subtle trap. Even when a scheme includes a small nod to operational behaviour, it can be minimal. For example, the Cyber Essentials Plus test specification includes checks such as whether anti malware solutions generate alerts and whether there is evidence of investigation of alerts, including “investigation of logs”, for specific scenarios (National Cyber Security Centre, 2025b). That is useful, but it is not the same as validating end to end detection coverage across the environment.

The danger of dormant defences
A SIEM or XDR platform that is not operationalised is like a fire alarm wired to a speaker nobody can hear. The hardware exists, but the outcome is fantasy.

Two authoritative themes show up repeatedly in security logging guidance:

1. Logging must be tied to use cases and risk
   Practitioner guidance on SIEM ingestion explicitly discourages “logging for the sake of logging” and stresses tailoring collection and analysis to the environment and risk profile (National Cyber and Information Security Agency, 2025). That is basically the opposite of tick-box tooling.
2. Centralisation and correlation are not the same as detection
   Log management guidance frames logs as inputs into analysis, investigation, and response. Capturing events is not the endpoint, it is the beginning of a process that includes review, interpretation, and action (Kent and Souppaya, 2006). If nobody is reviewing alerts or improving detections, “we have a SIEM” becomes a comforting sentence rather than a security capability.

Why this happens, the boring, human reasons
Most tick-box tooling failures are not caused by malice. They are caused by incentives and constraints.

Skills and staffing gaps
Advanced platforms require engineers and analysts who can build and maintain detections, tune noise, and run workflows. Without that capability, the platform trends toward shelfware, or at best, a passive log warehouse.

Resource constraints and cost models
Licensing based on data volume, storage, and feature tiers can push organisations into ingesting too little, retaining too briefly, or disabling useful telemetry. The tool exists, but its effective configuration is financially discouraged.

Certification as an endpoint
Once the certificate is won, pressure often drops. Budget and attention shift elsewhere. The ISMS continues, but operational maturity stagnates.

Evidence bias
Documentation is easier to produce than operational excellence. Unless audits consistently ask for operational proof, organisations will optimise for what is assessed.

Common “cosmetic implementation” patterns to watch for
These patterns are not universal, but they are predictable outcomes of the incentive structure described above.

A SIEM is deployed, but ingestion is narrow and unprioritised, with little linkage to risk based use cases, despite guidance encouraging prioritisation and discouraging logging for its own sake (National Cyber and Information Security Agency, 2025).
Alerting exists, but triage is sporadic, with weak evidence of investigation workflows, even though testing specifications may expect evidence of investigating alerts in specific contexts (National Cyber Security Centre, 2025b).
Logging controls are “met” on paper, but review and monitoring activities are not demonstrably effective, despite common control interpretations emphasising review and use of logs for detection and investigation (ISMS.online, n.d.; Advisera, n.d.).

None of these are exotic failures. They are what happens when tools are treated as outcomes rather than components.

Recommendations, closing the gap between certification and real security
If you want certification to correlate with real security, the fix is not “more tools”. The fix is better evidence of operational reality.

1. Demand operational evidence, not tool existence
   For ISO/IEC 27001 audits and internal assurance reviews, ask for evidence that the monitoring function is active and improving, not just installed. Examples include:
   Recent alert queues and triage notes
   Examples of tuning changes and the rationale
   Incident records and post incident reviews
   Metrics that show detection and response performance over time (for example, time to triage, time to contain)
   This aligns with the broader intent of ISMS effectiveness and continual improvement (International Organization for Standardization, 2022; BSI Group, n.d.).
2. Treat logging as a capability with design principles
   Adopt risk based logging objectives, prioritise sources, and build gradually, rather than ingesting randomly or treating the SIEM as a dumping ground (National Cyber and Information Security Agency, 2025). Tie ingestion to detection and investigation needs, not vanity dashboards.
3. Build the people system, not just the tech system
   If you cannot staff detections, tune alerting, and investigate, you do not have a monitoring capability. You have software. Certification can coexist with that reality, which is precisely why leadership should insist on capability investment alongside compliance goals (Kent and Souppaya, 2006).
4. Use continuous validation to keep the “certificate story” honest
   Tabletops, purple teaming, and controlled simulation can generate evidence that monitoring and response workflows actually function. This creates operational artefacts that are harder to fake than screenshots.
5. Reframe certification as a floor, not a ceiling
   Cyber Essentials should be treated as baseline hygiene, and ISO/IEC 27001 should be treated as a management system that supports continual improvement, not a badge that ends the conversation (National Cyber Security Centre, 2025a; International Organization for Standardization, 2022).

Conclusion
Certifications are not useless, they are useful, but only when we interpret them correctly. Cyber Essentials can raise baseline hygiene. ISO/IEC 27001 can drive risk management discipline and continual improvement. Neither automatically guarantees that your SIEM, XDR, or SOC function is effective.

The illusion appears when organisations confuse tool ownership with operational security, and when evidence focuses on existence rather than effectiveness. The attackers will not care that the boxes were ticked. They will care whether you can detect, respond, and learn.

References
Advisera (n.d.) ‘ISO 27001 control 8.16, Monitoring activities’, Advisera. Available at: https://advisera.com/27002academy/knowledgebase/control-8-16-monitoring-activities/ (Accessed: 18 December 2025).

BSI Group (n.d.) ‘ISO/IEC 27001:2022 Information Security, Your implementation guide’, BSI Group. Available at: https://www.bsigroup.com/globalassets/localfiles/en-gb/iso-27001/pdf/v2.0_27001_implementation_guide.pdf (Accessed: 18 December 2025).

Chartered Quality Institute (2024) ‘Updated ISO/IEC 27006-1:2024 giving confidence in certification’, CQI, IRCA, 22 May. Available at: https://www.quality.org/article/updated-isoiec-27006-12024-giving-confidence-certification (Accessed: 18 December 2025).

International Organization for Standardization (2022) ‘ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection, Information security management systems, Requirements’, ISO. Available at: https://www.iso.org/standard/82875.html (Accessed: 18 December 2025).

International Organization for Standardization (2024) ‘ISO/IEC 27006-1:2024, Requirements for bodies providing audit and certification of information security management systems, Part 1: General’, ISO. Available at: https://www.iso.org/standard/82908.html (Accessed: 18 December 2025).

International Organization for Standardization and International Electrotechnical Commission (2015) ‘ISO/IEC 17021-1:2015, Conformity assessment, Requirements for bodies providing audit and certification of management systems, Part 1: Requirements’, ISO/IEC. Available at: https://qualityacademy.org/wp-content/uploads/2025/03/ISO_IEC_17021-1_2015en.pdf (Accessed: 18 December 2025).

ISMS.online (n.d.) ‘ISO 27001:2022 Annex A Control 8.15, Logging’, ISMS.online. Available at: https://www.isms.online/iso-27001/annex-a/8-15-logging-2022/ (Accessed: 18 December 2025).

ISMS.online (n.d.) ‘ISO 27001:2022 Annex A Control 8.16, Monitoring activities’, ISMS.online. Available at: https://www.isms.online/iso-27001/annex-a/8-16-monitoring-activities-2022/ (Accessed: 18 December 2025).

Kent, K. and Souppaya, M. (2006) ‘Guide to Computer Security Log Management (SP 800-92)’, National Institute of Standards and Technology. DOI: 10.6028/NIST.SP.800-92. Available at: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf (Accessed: 18 December 2025).

National Cyber and Information Security Agency (2025) ‘Priority logs for SIEM ingestion: Practitioner guidance’, media.defense.gov, 27 May. Available at: https://media.defense.gov/2025/May/27/2003722069/-1/-1/0/PRIORITY-LOGS-FOR-SIEM-INGESTION-PRACTITIONER-GUIDANCE.PDF (Accessed: 18 December 2025).

National Cyber Security Centre (2025a) ‘Cyber Essentials Requirements for IT Infrastructure v3.2’, NCSC, April. Available at: https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-Infrastructure-v3-2.pdf (Accessed: 18 December 2025).

National Cyber Security Centre (2025b) ‘Cyber Essentials Plus Test Specification v3.2’, NCSC, April. Available at: https://www.ncsc.gov.uk/files/cyber-essentials-plus-test-specification-v3-2.pdf (Accessed: 18 December 2025).