Accreditations are only as valuable as the way you use them. 

That was the message to delegates from one speaker at the East Midlands Cyber Summit.

Former logistics company director Paul Abbott said that accreditations such as ISO 27001, Cyber Essentials, and Cyber Essentials Plus should be treated as ongoing tools – not one‑off badges to show that your company ‘does’ security.

In the closing remarks of his keynote address at the East Midlands Cyber Summit, Mr Abbott draws a sharp distinction between tools and trophies. A trophies mindset says ‘get certified, get the logo, put it on the website and in the sales deck, and move on’. Hard work simply clusters around the audit date; once the certificate is issued, the urgency fades. In that world, accreditations are endpoints.

A tool mindset is the opposite. Here, ISO 27001 and Cyber Essentials are treated as living frameworks that constantly shape decisions, controls and behaviours. The question posed by Mr Abbott was not ‘Do we have the badge?’ but rather ‘How are we using this framework today to run the business more securely?’.

Living an accreditation

Mr Abbott described how his food logistics experience showed him what living discipline looks like. 

Under BRC and similar food standards, he told delegates, the organisation was “always under the spotlight”. Customers, auditors and supply‑chain partners continuously checked for contamination risk. Because someone was always watching, the accreditation stayed alive in daily routines.

Cyber accreditations rarely come with that level of ongoing external scrutiny. No one is standing over the IT Department checking ISO 27001 controls every week. That is why, Mr Abbott argued, organisations must build their own spotlight: internal frameworks that keep the tools in active use.

Living an accreditation means:

• Regular internal audits, not just external certification visits
• Continuous monitoring of controls, access, patches and configuration
• Frequent testing of incident response, backup and recovery
• Ongoing staff training and awareness checks
• Using the risk assessment process to drive decisions all year round.

In this model, the certificate is simply confirmation that real discipline is in place every day.

Board-level visibility

For accreditations to function as tools, the board has to support. 

That means regular, honest reporting on how ISO 27001 and Cyber Essentials are being applied in practice: where controls are strong, where gaps are emerging, what internal audits are finding, and how lessons are being acted on.

As such, the key governance question shifts from ‘Are we certified?’ to ‘Are we actively using these frameworks to manage our risk, right now?’.

If the answer ever becomes ‘only around audit time’, the organisation has slipped back into badge culture.

The real test

Mr Abbott asks companies whether – if accreditations came with no logo, no marketing advantage, and no tender tick‑box – would companies still then invest in them? If the honest answer is no, then they are probably treating certifications as badges.

If, however, companies see certifications as essential operating tools – a structured way of managing risk, driving improvement and holding people to account – then the certificate is almost incidental. 

The value – as Mr Abbott noted at the East Midlands Cyber Cluster-led Summit – lies in the discipline you practise when no auditor, customer, or regulator is watching.

• This post is part of a series based on content from speakers at the East Midlands Cyber Summit. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.