Human Factors in Security: How People, Culture & Behaviour Impact Your ISMS
Here’s What You Should Really Be Asking Your Suppliers For
So, you’re working with a supplier who proudly announces they’re ISO 27001 certified. Great! You ask for their certificate, tick the box, and move on.
Except… that’s not enough.
Don’t get us wrong. Certification is a good sign. It means the organisation has put some time, effort and (hopefully) budget into their information security practices. But a certificate alone doesn’t tell you much (if anything!) about how they’re actually managing risk day to day, or what their priorities are when it comes to protecting your data.
If you’re trusting a third party with access to your systems, customer info, or sensitive data, you need to look under the hood. Because security isn’t about gold stars. It’s about operational reality.
Why You Should Ask for More Than Just the Certificate
Let’s be clear: ISO 27001 certification doesn’t guarantee that a supplier is secure. It simply means they’ve implemented an Information Security Management System (ISMS) and passed an external audit — based on a scope they define themselves.
It’s entirely possible to be ISO 27001 certified while:
- Ignoring key risks to clients
- Leaving out critical assets from the scope
- Applying bare-minimum controls
- Treating compliance like a once-a-year event
That’s why, if you really want to understand how a supplier manages security, you need to ask for three specific things.
1. Statement of Applicability (SoA)
This is the master list of controls a company has and hasn’t implemented under ISO 27001. It’s basically a choose-your-own-adventure book — except instead of plot twists, you’re reading about access controls and network segmentation.
Why it matters: The SoA tells you what’s in scope, what’s out, and why. If your supplier has skipped a bunch of important controls, or scoped their ISMS to only cover part of their operations, that’s something you need to know, especially if your data is outside that scope.
2. Risk Register
This is where they document the risks they’ve identified, the likelihood and impact of each, and what they’re doing about them. It should be a living document that is updated regularly, owned by someone accountable, and aligned to their actual operations.
Why it matters: The risk register shows you how seriously an organisation takes threats like ransomware, phishing, insider abuse, and supply chain attacks. If it’s blank, outdated, or full of vague hand-waving, that’s a red flag. Security isn’t a guessing game, and neither is risk management.
3. Scope Document
Hoe much of the organisation is covered by the certification, what physical locations, teams, products and services are in-scope for the Management System
Why it matters: A well architected Scope Document paints a clear picture of what is being governed by the Management System and what is being left out.
Security Is More Than a Piece of Paper
Look, we get it. It’s tempting to treat supplier compliance like a checklist:
ISO 27001 certificate? Done.
Ask hard questions? Maybe later.
But compliance shouldn’t be a surface-level exercise. It needs to be embedded into everyday business operations, from onboarding vendors to managing access to conducting regular reviews.
Would you accept a driver’s licence as proof someone can drive a Formula 1 car? Of course not. So don’t accept a certificate as proof that a supplier is secure enough to be handling your customer data, managing your infrastructure, or plugging into your environment.
What You Can Do Instead
- Ask for the Statement of Applicability, risk register and scope document — or at least allow you to see it on-screen to read if a full copy is out of the question.
- Check that their ISO 27001 certification scope actually covers the services you’re using.
How de.iterate Can Help
At de.iterate, we help businesses go beyond checkbox compliance. Our platform makes it easy to:
- Keep your own SoA, risk register and Scope Documentation up to date
- Share evidence with customers, auditors or partners (without exposing sensitive detail)
- Build vendor assessment workflows that reflect best practice
- Turn ISO 27001 into a daily habit, not an annual headache
Because true security is about trust. And trust is earned — not just certified.
If You’re ISO 27001 Certified, This Shouldn’t Be a Problem
Here’s the thing, if you hold ISO 27001 certification, you shouldn’t hesitate to share this kind of information with your clients and partners. In fact, you should be ready and willing to do it.
Why?
Because transparency is part of the job.
Having ISO 27001 means you’ve committed to systematic, risk-based security. If that’s genuinely part of your daily operations (and not just something you dusted off for the audit), then sharing your SoA, a summary of your risk register, and an overview of your asset register shouldn’t feel risky, it should feel routine.
Of course, you’ll want to redact or summarise where appropriate. No one’s suggesting you hand over your entire threat model or give away sensitive system details. But if a customer asks you how your controls align to their risk exposure, or whether their data is even in scope? You should have an answer and evidence ready to go.
And yes, de.iterate makes this easy too. Our platform helps you manage and version your compliance artefacts in one place, track what you’ve shared and with whom, and ensure that you’re presenting the right level of detail to the right stakeholders.
Because when compliance is done right, it’s not just about reducing risk — it’s about building trust. And in this industry, that’s your biggest asset.
Tags:
