Improving and strengthening cybersecurity in the public sector should represent a top priority for government agencies, including municipalities and regions. To be resilient against cyberattack surges, organizations should consider establishing a cybersecurity program based on international standards and best practices. In this paper we explore the cybersecurity compliance in the Swedish public sector in relation to the best practices and guidelines highlighted in the ISO/IEC 27001A framework. Our findings indicate that the overall security status among the municipalities and regions contained many flaws, with substantial holes and critical issues. ISO/IEC 27001A creates a standardized base, but it is somewhat theoretical and starts with a policy, not providing insights on how to govern information security. Also, most of these “ISO/IEC”-related gaps were found to have been compiled into a single “Technology” domain. Though compliance with standards, best practices, and regulatory requirements can help reduce cyber risks, it does not guarantee that an organization will have strong cybersecurity. To address this issue and assess how well organizations can protect, discern, react, and recover from cyberattacks, an effective method for measuring security performance must be developed.