An ISO 27001 certificate is great for supporting sales – but it’s worthless during an attack

Here’s a truth that boards of directors are often reluctant to acknowledge: the nice certificate hanging on the wall and your organization’s actual cyber resilience often have very little to do with each other. The compliance industry has created a perverse incentive system: it sells security as a state (a certificate), even though security is a process. The result? Certified companies that are unable to respond effectively in a crisis. As an auditor who also assesses operational processes, I see this far too often.

The 2025 BSI Cybersecurity Situation Report documents this plainly: according to the BSI, 80% of operators of critical infrastructure (KRITIS) have implemented an Information Security Management System (ISMS), yet significant gaps remain in attack detection and Business Continuity Management (BCM). At the same time, there were 950 registered ransomware attacks during the reporting period, with 80% targeting medium-sized companies. Many of these organizations were ISO 27001 certified.

An ISMS that only comes to life when the auditor arrives is an expensive performance. An ISMS that regularly practices detection, response, and recovery is real security. The question is not whether you are certified- it’s when you last conducted a realistic incident exercise, including the 24-hour notification to the BSI under Section 32 of the German Federal Office for Information Security Act (BSIG).

When was the last time your executive board ran through a ransomware scenario in a tabletop exercise – covering communications, the ransom payment decision, and notification of the authorities? If you’d like to conduct such an exercise, let me know in the comments.

Expected counterarguments and responses:

  • ISO 27001 is a prerequisite for winning contracts.“

True. But that’s a sales argument, not a security argument. The two should be aligned, not confused.

  • „NIS2 recognizes ISO 27001 as evidence of compliance.“

Partly true. In practice, organizations with an existing ISO 27001-certified ISMS typically cover 70–80% of NIS2 requirements. The missing 20–30% are often the most operationally critical elements: incident reporting, management accountability, and supply chain security.

  • „You’re talking down the industry.“

No. I’m putting the value of certifications into the proper perspective. Organizations with a living, effective ISMS can demonstrate that with confidence. Organizations with a paper-based ISMS shouldn’t focus on certification – they should focus on fixing it first.

More insights can be found in the video below.

Nach oben scrollen