secusaurus

joined 1 year ago
[–] secusaurus@infosec.pub 2 points 1 year ago (1 children)

I agree with security being a process.

However, in my experience something like an ISO 27001 checks just documents. Except for spending a lot of money and time into creating and maintaining these, the label does not tell me anything about if the company is able to handle real-world incidents. At least if the auditor is not very into tech (which I cannot know just looking at the resulting label).

But +1 for

I would think threat actors would take that as a challenge.

:D

 

Hi all,

I did a lot of research, but got the point where I wonder: Is there any real meaningful infosec certification a company could gain?

I can follow a lot of frameworks and do certifications on them (like ISO 27001, NIST CSF, ISACA COBIT, TISAX, etc.), but they all are looking at documents and processes which kind of prove the mindset, but not actual security.

I think about something like "company survived a 5-day pentest or regulary does blue team exercises", etc., which show that the company can detect and respond and not only write documents.

Does anyone know about something like that? Or does this simply don't exists yet?

Thanks for the input!