Louis Zezeran
18. juuni 2026
When the Security Company Becomes the Client
There’s a particular kind of pressure that comes with being a cybersecurity firm going through its own security audit. If anyone should pass ISO 27001 without breaking a sweat, it’s the people who help everyone else do it. So when NEVERHACK Estonia went through its own recertification, it was the perfect moment to pull back the curtain — not on a polished case study, but on the real, slightly sweaty experience of living the standard.
In this episode of the NEVERHACK Cybercast, host Louis Zezeran welcomes back Andres Järv, vCISO at NEVERHACK Estonia, for a conversation recorded in the original Comedy Estonia studio — a fittingly underground, no-frills setting for a refreshingly honest discussion. Across two big themes, ISO 27001 recertification and the virtual CISO model, Andres delivers the kind of practical insight you only get from someone who has sat in the audit room more than once.
ISO 27001, Explained Without the Jargon
Andres opens with a definition that cuts through the noise. ISO 27001 is an international information security management system standard — part of the same ISO family as quality management (9001), occupational safety, and food safety. At its core, it’s about setting up processes that let you do information security with consistent quality, year after year.
The old framing was the “Plan-Do-Check-Act” loop: plan something, do it, measure it, improve it. That phrasing has been removed from the current standard, but the spirit remains — continuous improvement, baked into how the organisation operates. And critically, ISO 27001 deliberately pulls top management into the picture. Security stops being “a techie problem” and becomes a business risk, a business opportunity, and a board-level responsibility. Documentation, record-keeping, management reporting, internal audits, risk assessments — they all feed a cycle that’s supposed to make the company genuinely better over time, not just compliant on paper.
The 0.7% That Proves the Point
One of the episode’s most memorable moments is a statistic Andres came across: a US study of around 100 companies found that when a business publicly announces it has earned ISO 27001 certification — factoring out every other reason for growth — its market value rises by roughly 0.7%.
It’s a small number with a big implication. That uplift isn’t measuring whether the company is actually more secure; it’s measuring the confidence the announcement creates in the market. Clients, suppliers, and partners around the world recognise that earning the certificate means you’ve had to change how you work — and do it better. As Andres stresses, done in the right spirit it’s never “just paperwork.” If you integrate it properly, you genuinely have to improve.
Why Companies Really Do It
Andres is candid about motivations. For many, the driver is regulatory compliance — and under Estonia’s NIS2 implementation, ISO 27001 is one recognised route to meeting obligations, pushing thousands of companies to take it seriously. For for-profit businesses, the certificate is a passport to tenders that require it, and an edge when a prospective partner is vetting you against a competitor.
He also tackles the “management liability” angle head-on — and pushes back on it as a sales pitch. One client’s leadership pointed out that executives are already personally liable for plenty of things (workplace accidents, for instance), so “now you’re liable for this too” rarely lands with companies that already take security seriously. The better motivation, Andres argues, is the real one: actually becoming more secure. Encouragingly, most clients who come to NeverHack genuinely want to do it properly, rather than treat it as a tick-box exercise.
What Recertification Actually Looks Like
This is where the episode earns its keep for anyone facing an audit. Andres maps out the full three-year cycle clearly:
- Year zero: the initial certification — the big push, the hardest lift.
- Years one and two: surveillance audits — narrower in scope, checking you haven’t “exhaled” and slipped back into old habits.
- Year three: recertification — a full-scope audit that earns you a fresh certificate good for another three years.
He also draws an important distinction between the two audits that happen every year. The external (certification or surveillance) audit confirms you comply with the standard and with the rules you’ve set yourself. The internal audit should go deeper — conducted by someone more intimately familiar with the business, asking not just “did you follow the standard word for word?” but “is this actually helping us? Are these measures effective?” A good internal auditor finds things, so you can keep improving.
The logistics are demystified too. NeverHack — around 60 people on one site — faced roughly three auditor-days on site, including a day with two auditors running parallel interviews. That means real coordination: booking rooms, managing calendars, getting the right people in front of the auditors. And auditors don’t just talk to the CISO; they speak to management, IT, and — in NeverHack’s case — the SOC team, since the security operations centre handles internal incidents the same way it does for clients.
Documentation Meets Reality
A recurring theme: auditors correlate what’s written against what’s actually done. You can have a beautiful incident-management procedure on screen, but the auditor will then ask you to show it happening in your live systems. If the documentation and the reality don’t match, that’s a finding. A skilled auditor is professionally skeptical, asks probing questions, and cross-references answers between interviews — so if the CISO says one thing and IT says another, it surfaces. As Andres quips, if it were just a documentation review, ChatGPT could do it.
At the close of the audit, you get a preliminary verdict: any non-conformities (which can block certification and must be fixed quickly — occasionally with a return visit for serious ones), plus observations and opportunities for improvement to take home. The golden rule? No secrets from the auditor. By the end of the audit, you should already know whether you’ve passed. NeverHack’s own result was positive — no showstoppers, a few recommendations, and the certificate working its way through the issuance process (delivered, fittingly, as a PDF rather than a framed wall-piece).
The Virtual CISO: Expertise Without the Full-Time Hire
The second half pivots to Andres’s actual day job. A vCISO is, in the simplest terms, an outsourced part-time Chief Information Security Officer. It suits organisations that don’t need — or can’t justify — a full-time hire: beginners learning what the role even involves, and seasoned companies that have outgrown managing security through their IT team and management alone.
Andres’s analogy lands perfectly: a 2,000-employee company doesn’t hire its own in-house family doctor. You bring in outside expertise because your core business is elsewhere, and keeping a specialist trained, motivated, and current isn’t your job. NeverHack handles that, ensuring its vCISOs stay educated and up to date — then shares that knowledge across many clients.
He backs it with sobering math: Estonia has roughly 700 people working in cybersecurity, against an estimated 3,000–4,000 companies that should be certifying under NIS2. Everyone hiring their own CISO simply isn’t possible — and most don’t need to. Even a profitable mid-sized company may struggle to attract top talent, because a single organisation sees so few serious incidents that there’s little to learn from. As Andres puts it, you’d rather have a SOC analyst who handles high-severity incidents weekly than an in-house specialist who sees one every three years and panics. A consultant accumulates best practices across clients and brings them to everyone — exactly what good consulting is for.
Eating Their Own Dog Food
Finally, Andres explains how NeverHack practises what it preaches. When its previous CISO left last October, management decided the company’s size didn’t justify a full-time replacement — so they treated NeverHack Estonia as a typical vCISO client. The role rotates across the team, responsibilities from the standard are divided up and tracked on a Jira Kanban board, and regular meetings keep everything moving.
The payoff is a lesson for everyone: done in good faith, ISO 27001 forces you to distribute the work rather than pile it on one person. Thanks to excellent documentation left by their previous CISO, the team got up to speed in about five months ahead of recertification — proof that when knowledge lives in writing and processes, no single departure can topple the system.
Listen Now
Whether you’re approaching your first certification, dreading a recertification, or weighing whether to hire or outsource your security leadership, this episode is full of grounded, real-world guidance you can act on.
🎧 Listen now, explore more at neverhack.ee or neverhack.com, connect with Louis and Andres on LinkedIn, and subscribe to the NeverHack Cybercast so you never miss an episode.
