However, in my experience something like an ISO 27001 checks just documents. Except for spending a lot of money and time into creating and maintaining these, the label does not tell me anything about if the company is able to handle real-world incidents. At least if the auditor is not very into tech (which I cannot know just looking at the resulting label).
But +1 for
I would think threat actors would take that as a challenge.
I agree with security being a process.
However, in my experience something like an ISO 27001 checks just documents. Except for spending a lot of money and time into creating and maintaining these, the label does not tell me anything about if the company is able to handle real-world incidents. At least if the auditor is not very into tech (which I cannot know just looking at the resulting label).
But +1 for
:D