If anyone should breeze through an ISO 27001 audit, it's a cybersecurity company — right? In this episode of the NeverHack Cybercast, host Louis Zezeran sits down with Andres Järv, vCISO at NeverHack Estonia, fresh from the firm's own recertification, for an honest look at what the standard really demands.

Andres breaks down what ISO 27001 actually is, the three-year audit cycle, what auditors look for (and how they catch you out), and why your documentation has to match reality. Then he unpacks the virtual CISO model: why even profitable companies outsource security leadership, what Estonia's talent shortage means under NIS2, and how NeverHack "eats its own dog food" by acting as its own vCISO client.

Practical, candid, and jargon-free — essential listening for anyone facing certification or deciding whether to hire or outsource.