[cookiengineer]

Well, the process itself cannot be working because otherwise this whole fiasco would have been found. Technically within 24 hours, if the certifications are to be believed.

Trying to defend a broken process isn't what this is about, my critic was about that there was an audit a decade ago, and that the auditors did not verify any of the claims or processes in place. Certifications and audits without any verification of claims are not valid certifications.

SOC2 and ISO27001 also include _mandatory_ pentests which obviously didn't happen that year. Either that or the pentesting agency wasn't actually doing more than a metasploit run ;)

[bennyelv]

Common misunderstanding about 27001 - it doesn’t have mandatory anything when it comes to security controls.

It defines how you structure and operate a risk based security management system, that’s all. It’s perfectly valid to say “I should be doing pen testing but my risk appetite is high enough for me not to care”, and still get a 27001 certification.

[cookiengineer]

> “I should be doing pen testing but my risk appetite is high enough for me not to care”, and still get a 27001 certification.

I would agree with you if Equifax wouldn't be part of critical infrastructure.

[bennyelv]

Agreed - but 27001 doesn't have an opinion on that. It only requires that top management have set the context that the rest of the information security management system hangs off of. It doesn't specify what that context should be for your company.

It's completely unlike SOC in that regard.