Your supplier sends their ISO 27001 certificate. Professionally formatted, issued by an accredited body, clearly showing they’ve been assessed against information security standards. You file it away, tick the compliance box, move on.
But what have you actually learned? More importantly, what protection does that certificate provide?
Less than you think.
This is not an argument against security certificates. ISO 27001, Cyber Essentials, SOC 2—these are valuable indicators of a supplier’s commitment to security. But they’re information, not assurance. Mistaking one for the other creates a dangerous gap in your supplier risk management.
What certificates actually tell you
Security certificates represent a point-in-time assessment of documented practices.
An ISO 27001 certificate tells you that on a specific date, an auditor reviewed the supplier’s information security management system and found it met requirements. They have documented policies, defined processes, implemented controls.
A Cyber Essentials certificate verifies that when assessed, the supplier had basic technical controls: firewalls, secure configuration, access control, malware protection, patch management.
A SOC 2 Type II report details how systems and controls operated over a defined period (usually six to twelve months), assessed against specific trust principles like security, availability, or confidentiality.
These are meaningful achievements. They demonstrate investment in security, submission to independent assessment, meeting externally defined standards.
But here’s what they don’t tell you: whether those standards and controls are still in place today.
The decay of certification assurance
Certificates have expiry dates. The assurance they provide starts decaying immediately.
Consider ISO 27001, typically valid three years with annual surveillance audits. The certificate issued in January represents security posture assessed several months earlier. By the time you see it, the assessment data might be six months old.
The supplier could have had a significant incident two months after certification. They could have made infrastructure changes affecting security controls. Key security staff could have left. They could have moved data processing to a new jurisdiction.
None of this automatically triggers certificate revocation. The certificate remains valid until expiry or until the next surveillance audit reveals non-conformance significant enough to warrant suspension.
The gap between “has a valid certificate” and “currently maintains the practices that earned the certificate” is where most supplier risk lives.
What certificates don’t cover
Security certificates also have scope limitations easy to overlook.
ISO 27001 certification can be scoped to specific business units, locations, or services. A supplier might have ISO 27001 for European operations while the data centre hosting your data sits outside that certified scope. The certificate exists, it’s valid, but it doesn’t cover what you actually care about.
Cyber Essentials assesses technical controls, not organisational practices. It doesn’t evaluate incident response capability, business continuity planning, or data handling procedures. A supplier can be Cyber Essentials certified and still have poor practices in areas that matter to your risk profile.
SOC 2 reports are even more scope-dependent. They assess controls relevant to specific trust principles defined in the engagement. A SOC 2 Type II report focused on security and availability tells you nothing about confidentiality controls or privacy practices.
Understanding scope is critical. A certificate proves the supplier met certain standards within a defined boundary. It doesn’t prove comprehensive security across their entire operation.
The problem with certificate reliance
When organisations treat certificates as sufficient assurance, they’re outsourcing their risk assessment to the certifying body’s scope and schedule.
This creates problems:
Temporal mismatch: You need current risk posture. Certificates tell you historical posture when last assessed.
Scope mismatch: You care about specific risks relevant to your engagement. Certificates cover whatever scope the supplier chose to include.
Standards mismatch: Certification standards reflect consensus requirements across many use cases. Your specific concerns might not align with what the standard prioritises.
Audit frequency mismatch: Annual surveillance audits might be adequate for certification maintenance, but inadequate for your need to know about significant changes between audits.
None of this makes certificates worthless. It means they’re one input into supplier risk assessment, not the entire assessment.
What “valid certification” actually means
When a supplier provides a valid certificate, you’ve learned several useful things:
They’ve demonstrated commitment to external accountability by submitting to independent assessment. This shows security is not just internal rhetoric but something they’re willing to have verified.
They’ve implemented baseline controls aligned with recognised standards. This provides a floor of minimum expectations you can reasonably assume they’ve met.
They’ve invested resources in certification, which often correlates with broader security maturity. Organisations pursuing formal certification typically have better practices than those that don’t.
They have documented security policies and procedures. This matters because undocumented practices tend to be inconsistent and difficult to maintain as organisations grow.
These are valuable data points. They should influence your confidence. But they should not end your assessment.
When certificates provide false confidence
False confidence emerges when certificates substitute for understanding.
It’s easy to see “ISO 27001 certified” and think “their security is sorted.” But certification status tells you nothing about:
- Recent security incidents
- How they responded to those incidents
- Whether key security personnel are still employed
- Infrastructure changes made since certification
- Whether they’re maintaining controls between audits
- Whether emerging risks are being addressed
- Whether their security posture is improving or degrading
Treating certificates as sufficient assurance means accepting a twelve to thirty-six month visibility gap on changes that matter. For most supplier relationships, that gap is too large.
The certificate as starting point
Better framing: certificates are not endpoints, they’re starting points.
When a supplier has ISO 27001, that’s reason to be more confident than if they had nothing. It indicates baseline maturity. But it’s the beginning of assurance, not the conclusion.
From there, you should ask:
- What’s the certification scope, and does it cover what matters to us?
- When was the last audit, when is the next one?
- Have there been security incidents since certification?
- How are they monitoring and maintaining controls between audits?
- What additional evidence can they provide of current security posture?
These questions don’t undermine the certificate’s value. They contextualise it appropriately and fill gaps certification alone cannot address.
Combining certificates with other evidence
Effective supplier assurance uses certificates as one input alongside other evidence.
Continuous monitoring: Rather than relying on annual audit cycles, implement monitoring that provides more frequent signals about changes or degradation.
Incident transparency: Establish expectations that suppliers disclose security incidents promptly, not just at the next audit. This fills the temporal gap.
Supplementary attestations: For high-risk suppliers, request additional evidence beyond standard certificates. This might include penetration test results, vulnerability scan reports, or specific compliance documentation relevant to your use case.
Contractual requirements: Ensure contracts include obligations to maintain certification standards continuously and notify you of significant changes affecting your risk exposure.
This layered approach treats certificates as valuable baseline evidence while acknowledging they don’t provide complete, current assurance on their own.
The contractual reality
Even with certificates, your contract probably hasn’t transferred supplier risk away from you.
Most supplier contracts include limitation of liability clauses capping the supplier’s financial exposure well below the potential cost of serious security incidents. Your payment processor’s liability might be capped at twelve months of fees, while a major breach could cost multiples of that in remediation, regulatory fines, and lost business.
The supplier’s ISO 27001 certificate doesn’t change this contractual reality. If something goes wrong, their certification might reduce likelihood of negligence claims, but it doesn’t eliminate your exposure or increase their liability.
You’re still inheriting the risk. The certificate just provides evidence they’re trying to manage it appropriately.
Building proportionate assurance
For most SMEs, proportionate supplier assurance means:
Using certificates as a minimum bar: Require appropriate certification (ISO 27001, Cyber Essentials, SOC 2) from suppliers handling sensitive data or providing critical services. But don’t stop there.
Understanding certification scope: Actually read the certificates. Check what’s included, what’s excluded, when issued, when it expires. Scope matters.
Monitoring between certifications: Implement processes providing visibility into supplier security posture between formal audit cycles. This is where modern supplier assurance tools add significant value.
Risk-weighting your suppliers: Not every supplier needs the same scrutiny. Risk-based prioritisation ensures you focus detailed efforts on suppliers that matter most.
Combining evidence types: Use certificates alongside incident disclosures, security monitoring data, and contractual commitments to build a more complete picture.
This approach respects what certificates provide—meaningful baseline evidence—while acknowledging what they don’t provide: current, complete, or continuous assurance.
The honest assessment
Security certificates matter. They demonstrate commitment, establish baselines, provide independent verification of documented practices. Suppliers with appropriate certification are generally lower risk than those without.
But certificates are not protection. They’re information.
They tell you a supplier met certain standards at a point in time within a defined scope. They don’t tell you if those standards are being maintained today. They don’t tell you if incidents have occurred. They don’t tell you if risks have changed.
When you inherit supplier risk (and you always inherit supplier risk), you inherit it regardless of what certificates the supplier holds. The certificates provide context and confidence, but they don’t transfer accountability.
Your customers don’t care if your breached supplier was ISO 27001 certified. Your regulator won’t accept “but they had Cyber Essentials” as defence against inadequate due diligence. Your Board will still ask why you didn’t have better visibility despite the certificates you collected during onboarding.
A certificate is information, not assurance
This is the core distinction: certificates provide information about supplier security practices. Assurance comes from how you use that information within a broader approach to supplier risk management.
Good supplier assurance uses certificates appropriately—as valuable baseline indicators that inform confidence but don’t provide complete visibility. It recognises that inherited risk requires ongoing attention, not just point-in-time verification.
A supplier’s certificate doesn’t protect you.
What protects you is knowing when to trust certificates, what they actually mean, and what else you need to understand about the suppliers you depend on.
