This is an important question. Being certified under ISO 27001 or having a SOC 2 doesn’t necessarily make your company secure. You can use either to demonstrate compliance against a standard or requirements, but you still set the scope, so you could only scope it out to certain aspects of your business and not all, for example. Even with scoped areas, you can demonstrate compliance without following “best practices.” The benefit of ISO 27001 is that it’s an international standard so it’s recognized globally, and it lays the foundation to address some/many/all requirements of other compliance programs such as GDPR (which requires an ISMS), and even aspects of a SOC 2. ISO 27001 also requires a certification audit and an internal audit yearly. It’s typically more comprehensive than a SOC 2 and requires more resources to implement and maintain.
As you pointed out, being certified doesn’t automatically ensure that you’re secure. That’s because the ISO 27001 framework allows you to determine the risks that are most relevant to your business and design your controls to address them. These risks and associated controls will differ from one company to another. Passing your ISO 27001 audit means your auditor found that your organization was able to prove that it has the necessary policies, processes, and procedures in place to address the controls required to meet your ISMS goals and as prescribed by ISO 27001/27002.
Regarding your specific example of a SIEM not being in place — you don’t necessarily need to have a SIEM in order to effectively monitor and respond to security events in your environment; it all depends on your environment. If implemented properly, ISO 27001 would allow you to identify weaknesses in your security program and address them - for example, identifying a lack of visibility and management of security events in a complex environment might lead you towards a SIEM as one solution. What I like about ISO 27001 is that it doesn’t tell you to implement a SIEM. Rather, it ensures that you have controls in place that allow you to identify and respond to events, and it leaves it up to you to address that in the way that makes most sense for your business. Simply having an expensive SIEM that just collects information that nobody looks at isn’t useful, but it allows you to check off a box that says you have a SIEM, which I think is the case in too many cases.
The ISO 27001 stance on passwords is another good example. Annex 9.4.3 states:
“ Password management systems shall be interactive and shall ensure quality passwords.” Then if you look at the implementation guidance in ISO 27002, it says a password management system should:
a) enforce the use of individual user IDs and passwords to maintain accountability;
b) allow users to select and change their own passwords and include a confirmation procedure to allow for input errors;
c) enforce a choice of quality passwords;
d) force users to change their passwords at the first log-on;
e) enforce regular password changes and as needed;
f) maintain a record of previously used passwords and prevent re-use;
g) not display passwords on the screen when being entered;
h) store password files separately from application system data;
I) store and transit passwords in protected form
It doesn’t explicitly require specific complexity or prescribe frequency of password changes, etc. - that’s up to your business to determine, based on how you view the risk.
ISO 27001 certification alone does not necessarily make your company secure. An ISO 27001 implementation will ensure you have the necessary governance in place to operate the ISMS effectively. The specifics of the ISMS should be further informed by external resources such as NIST, OWASP, CIS, and other industry guidance around security. I don’t think that SOC 2 automatically makes your company more secure; on the contrary, it could create more gaps since it doesn’t require a management system to be in place and is not internationally accepted, so I’d caution against any thinking that a SOC 2 is the solution to making your ISO 27001 implementation more secure. Instead, I recommend you identify the security gaps in your program, and consider CIS 20 controls, OWASP, and NIST frameworks as additional guidance for filling in those gaps and maturing your security program. CIS 20
Controls might be helpful in your particular case, because it is easier to map the controls to the ISO 27002 implementation guidelines, and you can use that as a way to build your case for your organization to improve its security (e.g. by implementing additional controls and tools towards attaining CIS IG1, IG2, or IG3 status).