In cybersecurity, you’re not buying a service, you’re buying risk reduction. If your SOC goes down the day a ransomware attack is triggered, no one will ask you what the name of the service provider was: they’ll ask you why you deemed the risk acceptable.
The problem is that many organizations reassure themselves with an ISO 27001 logo without checking whether it covers the only thing that counts: the SOC’s ability to see the attack, act quickly and provide you with solid evidence when it comes to accountability.
ISO 27001: what certification really guarantees
Unlike a technical performance assessment, ISO 27001 certification is based on an information security management system (ISMS): it relies on the definition of a perimeter, a risk analysis, and the implementation of policies, procedures, controls and regular audits.
In short, ISO 27001 provides three major guarantees:
- The organization has clearly defined what it is protecting, i.e. the scope of its ISMS;
- Security rules and policies have been put in place to protect this perimeter;
- An independent auditor regularly checks that these rules are effectively applied.
However, ISO 27001 leaves two important areas of flexibility:
- Certification scope: the service provider defines what is included in the ISMS and what is not;
- Applicability of controls: certain safety controls can be disregarded, provided this is justified and documented.
As a result, it’s quite possible for an SOC to operate outside the certified perimeter, even if the ISO 27001 logo appears on the service provider’s sales literature. As CIO or CISO, your job is not to rely on the logo, but to understand precisely what ISO 27001 certification covers… and what it does not.
The 3 fundamental questions: what every CIO should ask his SOC
Instead of starting from the standards, let’s start from what you need to be able to explain to your COMEX or an NIS2 auditor:
- Who sees what (Visibility)
- Who did what?
- When will I be notified?
If your SOC doesn’t clearly answer these three questions, the rest is cosmetic.
1. Visibility: “Who sees what?
In practice, the question isn’t “Are you ISO 27001?”, but: “Who has eyes on my systems, when, and under what discipline?”
What certification sometimes hides :
- The service provider certifies its support functions, its internal IS, its offices… but not the operational SOC that monitors your logs.
- The scope does not mention “SOC”, “24/7 security supervision” or “incident detection”.
The simple test :
- Ask for the certificate and the scope schedule.
- Look for the words “SOC”, “Security Supervision”, “24/7 Incident Detection”, or similar in black and white.
If you don’t see them, you’re paying for a rigor that may not apply to those who watch your screens at night.
2. Proof: “Who did what, when and why?”
The day a serious incident breaks out – or an NIS2 controller shows up – you won’t be asked if you trusted your provider. You’ll be asked, “Show me the traces.”
What your SOC must have:
- Systematic logging of analyst access and actions;
- Logs protected against unauthorized modification or deletion;
- An ability to replay history: who saw the alert, who qualified it, who decided what, and when.
The simple test :
- Ask how SOC analysts’ action logs are stored.
- Ask “Can you provide me with a 6-month history of accesses and decisions for one of my critical environments?
If there’s a problem, you already know where your responsibility lies: no evidence = no defense.
3. Speed: “When will I be notified?”
Time is the one parameter you can’t buy back after the fact. A certified SOC that takes 4 hours to detect ransomware is still an excellent student… for the audit, but a poor partner for the business.
What certification guarantees :
- That there are procedures, roles and communication channels.
Which it absolutely does not guarantee:
- That you will be notified in 10 minutes, 30 minutes or 2 hours;
- That these deadlines are met in real life.
The simple test :
- Ignore the logo, ask for contractual SLAs:
- Critical incident detection time ;
- Qualifying time ;
- Escalation and notification times.
- Ask for actual statistics over 12 months: “How many times have we met these deadlines?
If detection time is not quantified in the contract, it does not exist.
Why this grid is vital for today's SME/ETI
You’re no longer a “small target”. If you provide services or process data for entities subject to NIS2 (healthcare, energy, public authorities, finance, etc.), you become a link in their risk chain.
In concrete terms, this means :
- Your major customers and insurers will ask for proof, not promises.
- A poorly managed SOC service provider can call into question your own NIS2 compliance, and thus engage the personal liability of your managers.
Choosing a certified SOC for the right scope, with the right traceability and deadlines, is not a luxury:
- Avoid paying twice (service provider + penalty/ransom);
- It reduces the cost and pain of your audits, because 70-80% of the expected evidence is already produced by the SOC.
What this means in real-life situations (healthcare)
Let’s take a typical case: a 500-strong healthcare company, highly dependent on its systems to provide homecare services.
- An RGPD audit highlights:
- Lack of evidence of safety supervision ;
- IT service provider not certified ISO 27001 ;
- Insufficient traceability of access to health data ;
- Unformalized continuity plans.
- The result: a formal notice, projects with GHTs and clinics put on hold, and a serious financial risk.
When this SME decides to get back on track, it doesn’t start by buying an “ISO 27001 SOC”; it starts by :
- Mapping critical service providers and their impact;
- Define what she wants as minimum evidence;
- Challenge your monitoring system with the three questions:
- Who sees what?
- Who did what?
- When will I be notified?
Switching to an SOC with a certified scope covering detection and response, with logging of analysts’ actions and contractual SLAs on incidents, then becomes a piece of a larger puzzle: demonstrating that it has its risk chain under control.
It’s this trajectory – more than a simple change of logo – that has enabled us to reassure the CNIL, unlock €1.2 million in contracts and regain control of our relationships with major clients.
The Elit-Technologies approach: an SOC designed to be questioned
At Elit-Technologies, we work on the same principle as your listeners: you need to be able to explain, prove and improve.
In concrete terms, our SOC is designed around three commitments:
- Clear perimeter: 24/7 supervision, incident detection and response are all part of the ISO 27001 certified perimeter, not just the back office.
- Exploitable traceability: our analysts’ actions are logged, correlated and available in the event of an audit or incident.
- Visible lead times: detection, qualification and escalation times are contractualized and measured over time.
It’s not a promise of perfection. It’s a commitment to be auditable and to provide you with evidence aligned with your own NIS2/RGPD obligations.
Want to know if your SOC (current or future) really reduces your risk – or if it just reassures you with a logo?
Together, we can put your provider through the 3 questions and 5 key points in this article, starting from your NIS2, RGPD and business constraints.
Book a 30-minute meeting with an Elit-Technologies expert to test the robustness of your supervision system.
