If you saw then “ISO 27001 Certified” badge on your vendor’s website you may have thought: Great, they will protect my assets with rock-solid on security.
And to be fair, getting that certificate is no small feat. It means the company has set up a structured way of managing information security.
But here’s the twist: for customers, partners, or regulators who rely on that shiny certificate, it can also be misleading. Let’s peel back the curtain.
1. The false comfort blanket
ISO 27001 (see standard here) proves that a company has an information security management system. It only proves just that. It does not prove they won’t get breached.
Plenty of breached companies were certified at the time. The risk is assuming the certificate is a guarantee, when in reality it’s more like a gym membership: just because someone has it doesn’t mean they’re actually fit. At the end of this article you’ll find security-savvy companies with an ISO 27001 certificate that got compromised big time: Prosegur (2019), Interserve (2020) and Okta (2023).
2. Scope games
Here’s a fun trick: a company can define the scope of their certification throuhg the so-called Statement of Applicability. They might certify just their data center ops, while they put their product engineering team where all the sensitive code lives outside the scope.
To you, the customer, it looks like the whole company is covered. Spoiler: it’s not. I’ve seen examples where the scope was limited to the software development team, while the company was providing SaaS services.
3. The minimum bar
ISO 27001 is about management processes, not maximum defence to protect your assets.
It provides assurance there are policies, processes and procedures in place (the so-called ISMS, Information Security Management System). Which is good. A certified company, however, might still run outdated software, have weak monitoring, or lack a mature incident response. They can technically pass while still being less secure than you’d hope.
Additionally, ISO 27001 is obsessed with risk registers and continual improvement. That’s fine, but it doesn’t necessarily mean the company can detect a breach in under an hour, recover from ransomware in a day, or is protected against zero-day attacks.
You get well-polished paperwork, but no proof of cyber resilience.
4. A snapshot, not a movie
The audit is a once-a-year kind of deal. It’s like taking a photo at a wedding and saying: “Yep, that’s how the couple will look forever.”
Security, of course, is dynamic. New staff, new software, new vulnerabilities , all can unravel that tidy picture two months after the audit.
Certainly with the deployment and the recent dangers of AI-driven attacks, an annual snapshot may not suffice. Even more given the incredible fast pace at which AI threats are evolving. See for examples in my blog posts.
5. The auditor lottery
Not all certification bodies are created equal. Some are tough, while some are… let’s say less tough.
Companies can and do shop around for auditors who are easier to please. You’ll never know whether that ISO badge was earned under a boot-camp-style drill sergeant, or from someone who barely looked up from their checklist. I’ve seen many examples of auditors who did not question the scope as mentioned in point 2 above.
6. Playing catch-up with reality
Standards take years to update. The 2022 version of ISO 27001 finally caught up to the cloud era, but what about AI risks, supply chain compromises, or deepfake-powered phishing? ISO 42001, for example, does mention cybersecurity but is not part of the scope of ISO 27001.
A certified company might tick every box, but still be blind to tomorrow’s attack vectors and even to today’s threats.
Enter SOC 2: A different beast
This is why many strong providers (and increasingly their customers) ask for SOC 2 reports on top of ISO 27001. SOC 2 (see here) offers a trust report issued by an independent auditor, not just a management certification. It digs into whether security controls are actually operating effectively over time.
While ISO 27001 tells you “We have a system and policies in place” it is SOC 2 that actually says “An external auditor has tested our controls in practice, across a full audit period.”
SOC 2 goes further on evidence of operational security with logs, alerts, incident handling, onboarding/offboarding, vendor checks and aligns directly with customer trust in day-to-day service delivery.
The best vendors know ISO 27001 alone doesn’t cut it for savvy customers, so they pair it with SOC 2 to show both: we have structure and we walk the talk.
So, should you ignore ISO 27001?
Not at all. It’s a good baseline. It shows a vendor takes security seriously enough to invest time and money in structure and governance.
But as a relying party, don’t stop there. Ask questions:
- What’s the scope of your certification?
- How do you deal with new attack vectors between audits?
- Do you also provide a SOC 2 report, and what were the key findings?
- When was your last penetration test, and what did you learn?
The ISO badge is a start. Just don’t let it be the end of your diligence.
ISO 27001 in the age of DORA
If you’re in the supply chain of a bank, insurer, or payments company in Europe, the shiny ISO 27001 badge matters, but only as a starting point.
DORA, the Digital Operational Resilience Act landed in 2025, is the EU’s way of telling financial entities: “Stop just checking certifications. Prove you can survive real incidents.”
Here’s the rub. ISO 27001 is great at showing you’ve got a management system, policies, and risk assessments in place. Procurement teams love it because it signals you’ve at least done your homework. Without it, you might not even get in the door.
But DORA is hungrier. It asks for evidence of operational resilience: business continuity tested under fire, threat-led penetration testing (think TIBER-EU), incident response with clock-ticking SLAs, and ongoing supply chain monitoring. ISO 27001 doesn’t go that far.
So, if you’re a supplier: Yes, ISO 27001 is worth it. It keeps you in the conversation. But no, it’s not enough to satisfy DORA on its own. Financial entities will still push for proof that you can take a punch and keep standing.
Think of it this way: ISO 27001 gets you to the starting line. DORA asks if you can actually finish the race.
Addendum: Certified companies that got breached
1. Prosegur (2019)
Security firm Prosegur was breached while ISO 27001 certified. The attack exposed how even specialized security companies can be compromised, most often because certification doesn’t guarantee real-time defense or flawless implementation. Prosegur did not have SOC2 certification. More details here.
2. Interserve (2020 – ICO Fine in 2022)
Construction and services giant Interserve received a £4.4 million fine for a data breach that affected over 113,000 employees.
Despite ISO 27001 certification, the company failed on several fronts: outdated and unsupported software, antiquated protocols, poor incident response, and compromised privileged accounts. Interserve did not have SOC2 certification. More details here.
3. Okta (2023)
Okta, a leading identity management provider, suffered a major breach that affected all of its customers, despite holding ISO 27001 certification at the time.
The incident highlighted how having documented processes doesn’t guarantee airtight operational security, especially when sophisticated attacks exploit gaps between policy and practice. Note that Okta actually did have a SOC2 certification and still got compromised. More details here.
Controlled AI services 
One Reply to “”