You passed NIS2 / ISO 27001. Now what?
The certificate is real. The safety it implies is not.
Part 1: The red light
Imagine a road with a traffic light. The light turns red. Legally, you must stop.
That rule “stop at red” is the policy. It's written down. It's clear. Everyone in the organisation has been told about it. You've even had a consultant help you draft it, had leadership sign it off, and filed it in your GRC platform.
The problem? A policy is just a rule on paper. It describes the world as it should be, not the world as it is.
Nobody is watching whether drivers actually stop. There's no enforcement. There's no monitoring. And so, predictably, some drivers run the red light. Not always intentionally, sometimes they're in a hurry, sometimes they didn't see it, sometimes the light was working differently last week and nobody updated the process.
In cybersecurity terms: your policy says MFA is required for all admin accounts. But is it actually enforced? Is it configured correctly across every tool? Did last month's onboarding follow the procedure? Did a configuration change in Microsoft 365 silently break it?
Example of Continuous Best Practices Monitoring in the Cyfora Platform
You don't know. Because the policy doesn't tell you what's happening. It only tells you what's supposed to happen.
Part 2: The speed camera or the policeman at a certain spot.
Now add a speed camera at a certain spot or a policeman. Once a year, someone checks the footage.
This is your pentest. This is your annual ISO 27001 audit.
Once or twice a year, a team of professionals looks carefully at your environment, tests whether your controls are actually working, and tells you what they found. It's valuable. It's necessary. It absolutely should be part of your security program.
But here's the thing: the camera only catches what happens in front of it, at the moment the shutter fires. The police officer only sees what happens while they're standing there.
A driver who ran the red light in March won't show up in the December footage. A misconfiguration that was introduced in Q2 and quietly fixed, or quietly not fixed, won't appear in the audit report. The officer gives you an accurate picture of your posture on the day they showed up. What happens for the other 350 days is invisible to them.
In cybersecurity terms: your pentest finds what's exploitable today. Your ISO audit verifies that controls exist and are documented. Both are point-in-time snapshots. Between those snapshots, your team deploys new tools, updates configurations, onboards new users, changes firewall rules.
Drift accumulates. Gaps open up. The picture the auditor saw is already outdated by the time the report lands in your inbox.
This is not a criticism of audits or pentests. It's a structural limitation of point-in-time assessment. And most organisations have no answer for it.
Part 3: The average speed check
Now imagine a different approach to road safety. Instead of a camera at a single point, you have sensors at the start and end of a motorway section and a system that calculates your average speed across the entire distance.
You can't game it. You can't slow down for one camera and accelerate past the next. The check is continuous. The measurement is the whole journey.
This is what CYFORA does.
CYFORA connects directly to your security stack: SentinelOne, Palo Alto, Fortinet, Microsoft 365 and reads your configurations continuously. Not once a year. Not on audit day. Every day.
Example of Continuous Best Practices Monitoring in the Cyfora Platform
When the configuration changes, CYFORA sees it. When a control drifts from its secure baseline, CYFORA flags it. When a new gap opens up between your policy and what's actually deployed, CYFORA surfaces it with context, with evidence, and with a prioritized recommendation for what to do next.
Example of Configuration drift monitoring and evidences in the Cyfora Platform
Example of Configuration drift monitoring with history and evidences in the Cyfora Platform
Your team doesn't have to wait for the next audit to find out where things stand. The auditor doesn't arrive at a fire drill of last-minute remediation. Leadership doesn't read a monthly report that's already a month out of date.
You always know where you are. Not where you were.
Passing an audit doesn't mean you're safe. It means you were compliant on the day someone checked.
CYFORA is built for the other 364 days.
Want to see what continuous configuration and Policy monitoring looks like against your stack? Book a 30-minute walkthrough with Cyfora. live instance, no sales deck, no prep required.
Author: Wim De Smet