Why passing your last audit doesn't mean you're secure today | Assurix
A certificate proves you were compliant on one day. It says nothing about today. Here is why point-in-time proof leaves a gap, and what to do about it.
Your ISO certificate is on the wall. Your Cyber Essentials Plus passed in spring. Both are real, and both describe a moment that has already gone. Security is a moving target. It drifts the day after the assessor leaves.
What is wrong with point-in-time certification?
Nothing, as far as it goes. The problem is how far it goes. A point-in-time audit proves you met the standard on the day of the audit. It cannot prove anything about the 364 days that follow. And those are the days when MFA gets disabled for a VIP, a backup fails silently, a leaver keeps their access, and reality quietly diverges from the certificate.
How fast does compliance actually drift?
Faster than most owners think. One new client onboarded without the full checklist. One tool swapped without updating the policy. One busy month where access reviews slip. None of it is negligence. It is entropy, and it starts the moment the audit ends. By the time the next annual audit comes round, the gap between your certificate and your reality can be wide.
(This drift is exactly what continuous monitoring is built to catch. The Assurix platform tracks your controls between audits, so a slip surfaces in weeks rather than at the next annual review. If you would rather know in real time than find out at audit, that is the point of it.)
We already have ISO and Cyber Essentials, is that not enough?
It is a strong start, and it is not the whole answer. Holding ISO 27001 or Cyber Essentials shows work done at a point in time. It does not show that those standards are still being maintained today. That is the gap the Assurix Trustmark is built to close. It sits alongside your existing certifications, aligned with the NCSC Cyber Assessment Framework v4, audited annually with continuous monitoring in between, all 64 controls required to pass. Where a certificate says you did the work, the Trustmark keeps proving you still are.
Not sure where your gaps are? Take the Proof Gap Scorecard and get a scored view in a few minutes.
Take the Proof Gap ScorecardWhat does always-current proof change for your clients?
It changes what you can promise. Instead of "we passed our audit in March", you can say "we are compliant today, and here is the live evidence". Clients feel the difference. Ian Groves at Start Tech put the personal version of it simply: I sleep much easier at night. That comes from knowing the proof is current, not from remembering that you passed once.
For how the Trustmark compares with the standards you may already hold, see our guide to ISO 27001 for MSPs.
How do you keep proof current without adding headcount?
You let the tools you already pay for do the collecting. Your RMM knows your patch status. Your identity platform knows your MFA coverage. Your backup tool knows whether the last restore worked. The work is not gathering it by hand, it is connecting those sources once and letting the evidence flow. That is the difference between a compliance job that needs a full-time owner and one that runs in the background.
So continuous monitoring does not mean more staff. Assurix pulls the live evidence from your existing PSA, RMM and security tools, and only asks for a human when a control genuinely needs judgement or a slip needs fixing.
A certificate is a photograph. Useful, and out of date the moment it is taken. If you want proof that means something to a client or an insurer, it has to reflect today. Keep it current and keep something independent enforcing it. That is what Assurix is for.
Not sure where your gaps are? Take the Proof Gap Scorecard and get a scored view in a few minutes.
Take the Proof Gap ScorecardFrequently asked questions
Does passing an audit mean I am secure?
It means you met the standard on the day of the audit. It says nothing about the months that follow, when drift happens.
How is the Assurix Trustmark different from ISO or Cyber Essentials?
Those prove work at a point in time. The Trustmark adds continuous monitoring between annual audits, so it proves the standard is still being maintained.
Can I lose the Trustmark between audits?
Yes. If a control fails and is not remediated within 30 days, the badge is publicly suspended. That enforcement is what makes it credible.