this post was submitted on 20 Jul 2023
6 points (100.0% liked)
cybersecurity
3299 readers
1 users here now
An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Community Rules
- Be kind
- Limit promotional activities
- Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Enjoy!
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I agree with security being a process.
However, in my experience something like an ISO 27001 checks just documents. Except for spending a lot of money and time into creating and maintaining these, the label does not tell me anything about if the company is able to handle real-world incidents. At least if the auditor is not very into tech (which I cannot know just looking at the resulting label).
But +1 for
:D
I don’t have the document on hand while writing this, but I believe ISO27001 and most other certs have controls around regular pentests on an organization’s infrastructure and applications, and they ask for evidence that those are done regularly and ask for proof of remediation of findings during audits. While they don’t directly ask if “company survived a 5 day red team exercise”, the control processes they check for indirectly checks for those. And yes, it largely depends on how technical and how deep the auditor wants to go.