Compliance vs Continuous Assurance in Cyber Security - SureCloud

Security teams are drowning in frameworks. And a lot of them are starting to ask a fair question: is any of this actually making us more secure?

I've spent a long time working with organisations across their GRC and security programmes. The honest answer is: it depends entirely on why you're doing it.

A framework is a demonstration tool. It exists to show the outside world — customers, regulators, procurement teams — that you've thought about security and put practices in place. That's what it's there for. If you're not doing the underlying work, the certification isn't making you secure. It's making you look like you might be.

That distinction is becoming harder to hide. And I think that's a good thing.

Every year, the list of frameworks organisations are expected to hold or align to gets longer. Some are legal requirements. Some are contractual. Some are optional but commercially necessary. And a significant number of them are, in substance, the same thing written slightly differently.

My rough estimate: around 70% of requirements across the major frameworks overlap. You've got organisations with three people managing fifteen certifications, treating each one as a separate workstream. That's not a security programme. That's a compliance treadmill.

But the problem isn't the frameworks themselves. The problem is how organisations respond to them.

If you're pursuing a certification because you need it to win business — and you're not genuinely doing the things it asks for — you've got a security problem that a piece of paper is temporarily concealing. And increasingly, that's getting found out.

The SOC 2 fallout has been instructive. Organisations achieving certification with no full-time security resource, using tooling to automate responses, technically passing assessments that weren't really testing what they were supposed to test. That's not a theoretical concern anymore. It happened. And it's made buyers and procurement teams more sceptical — not just of SOC 2, but of certifications generally.

The answer to that scepticism isn't to abandon frameworks. It's to be honest about what they prove.

Cyber Essentials Plus has a specific and limited scope: firewalls, secure configuration, access control, malware protection, patching. That's it. It's not an information security management system. It's not a risk programme. It's a technical baseline check.

But unlike the self-assessed Cyber Essentials, the Plus certification requires hands-on testing by a qualified assessor. You have to show evidence. You can't just declare that controls are in place.

That makes it meaningfully different from most certifications. It's harder to game because it's less theoretical. An assessor testing whether your MFA is actually deployed, whether your patches are being applied within required timescales, whether your scope definition holds up under scrutiny — that's not a process check. That's a reality check.

For organisations selling into UK government or public sector procurement, the ROI on Cyber Essentials Plus is clear. It's often a condition of contract. If that's your market, you need it.

Outside of that context? Most organisations would reach for ISO 27001 first. And I think that's the right instinct. ISO 27001 is a management framework — it covers the breadth of how you govern security risk, not just a defined set of technical controls. When I'm assessing a vendor, the things I want to see are an ISO 27001 certificate and statement of applicability, a SOC 2 report, and evidence of regular penetration testing. Cyber Essentials Plus may come into the picture, but it's not typically the lead ask.

That doesn't make Cyber Essentials Plus not worth doing. It just means you need to be clear about what problem it solves for your organisation.

This is the point I keep coming back to.

Almost every framework-based certification is a point-in-time check. You demonstrate compliance at a moment in time — once a year, occasionally twice — and that becomes the basis on which you're assessed. An auditor reviews what you've done. You get a certificate. Twelve months later, you do it again.

What happens in between? Nobody's checking. And the reality is, a lot changes in twelve months.

If a customer has the right to audit you at any point — which is increasingly what strong contracts look like — and you've been managing your controls as a once-a-year exercise, you're exposed. You've got a piece of paper from six months ago and no live data. That's a problem.

The direction this needs to go is continuous assurance. Not compliance-as-a-checkpoint, but ongoing control testing that means you always know the state of your environment. Not because an auditor is arriving — because you've built the infrastructure to know.

That model has two benefits. First, you're actually more secure, because you're finding and fixing issues continuously rather than discovering them at certification time. Second, you can demonstrate that. You can show a customer or a regulator not just what passed at a point in time, but what your control environment looks like right now.

One thing that doesn't get discussed enough is how trust gets built over time between vendors and customers. The trust centre model — static documentation, annual updates — is already starting to look dated. Organisations that can host live evidence of ongoing control testing, and share that with customers who want to see it, are going to build a more credible kind of assurance than a certificate on a webpage.

The framework stack is only going to grow. DORA, NIS2, the UK Cyber Security and Resilience Bill — more requirements, more scope, more reporting obligations. Businesses with three people in their GRC function can't absorb 15 frameworks as 15 separate workstreams.

The answer is rationalisation. A meta-framework approach — mapping controls from multiple frameworks against a common set of requirements, so you test once and evidence across many. That's what SureCloud's Control Framework is built to do: 150 controls, mapped across 10 frameworks. Test it properly, and you've covered the landscape without testing each framework in isolation.

AI has a real role here too. Not replacing judgement — supporting it. Mapping new requirements as they emerge, identifying overlaps, flagging gaps. The volume of incoming obligation is outpacing the capacity of teams to manually manage it. That's not going to change.

But the technology is only useful if the underlying approach is right. And the underlying approach needs to shift from: how do we demonstrate compliance? to: how do we maintain genuine assurance?

Those aren't the same question. And the gap between them is where most of the real security risk lives.

If you're deciding which frameworks to pursue, start with why. What are you trying to demonstrate, and to whom?

If you're in UK government supply chains, Cyber Essentials Plus is non-negotiable. Get it. But don't stop there and assume the work is done.

If you're selling into financial services or enterprise, ISO 27001 should be your foundation. Build the management system properly, get an external audit, keep the statement of applicability current.

If you want to go beyond compliance — and I'd argue every mature organisation should — build continuous control monitoring into your programme. Not because a framework requires it. Because it's the only way to know whether your controls are actually working.

A certificate says you passed a test. Continuous assurance says you're doing the work every day.

That's the one I'd trust.

GRC Glossary by SureCloud, an industry-leader in GRC with 19 years of experience, brings together over 30 key terms that form the foundation of GRC. It’s designed for professionals who need a practical grasp of the essentials - whether you’re reviewing a policy, planning an audit, assessing third-party risk, or just trying to make sense of compliance frameworks.