[bennyelv]

Common misunderstanding about 27001 - it doesn’t have mandatory anything when it comes to security controls.

It defines how you structure and operate a risk based security management system, that’s all. It’s perfectly valid to say “I should be doing pen testing but my risk appetite is high enough for me not to care”, and still get a 27001 certification.

[cookiengineer]

> “I should be doing pen testing but my risk appetite is high enough for me not to care”, and still get a 27001 certification.

I would agree with you if Equifax wouldn't be part of critical infrastructure.

[bennyelv]

Agreed - but 27001 doesn't have an opinion on that. It only requires that top management have set the context that the rest of the information security management system hangs off of. It doesn't specify what that context should be for your company.

It's completely unlike SOC in that regard.