ISO 27001 is a management system, focussing on Information Security. I'm reviewing a company which is ISO 27001 certified - see eventually my other post -, but there is a lake of modern security monitoring in place, not even mention a centralised correlation function( like SIEM). So, even when this company is ISO27k1 certified - and therefore think they are in-control, it's from a compliance perspective only.
I try to make them aware that compliance only is not enough; Even when they claim they have a daily security operations in place, without adequate detection capabilities it's an compliance exercise only. To upgrade to realise security, we need more. So, is there a known standard which easily link a full SOC, or even SIEM to ISO27k1 in a pragmatic way? The reason I asked is, this company prefer "known standards / known best practises" and therefor I prefer such a default, instead of preaching my recommendations.
For example; is there a method which will link ISO27k1 (er eventually NIST CSF) to MITRE ATT&CK? From there I'm probably helped to provide the necessary foundation.
27001 is just the framework and compliance as you said.
I can still certified in 27001, has those risk management framework , security management practice on paper but doing a bad job in those controls.
If people did not look into implementing controls offered in 27002 or NIST 800-53, then 27001 is only as good as on paper which give people a false sense of security. ( or just security on paper and paper only)
To be fair, the only method for providing assurance that information security controls are effective, is to conduct a SOC2 (Service Organisation Control report) attestation. A SOC 2 is going to cover trust, privacy and security controls and essentially the attestation is performed by an external auditor. However, the client may need help with identifying the controls to be tested. ISO 27k doesn't test the effectiveness of controls, but it's a nice to have, in order to give some indication that controls might exist. Only a SOC 2 can give assurance. Look any the American Institute of Certified Public Accountants (AICPA) for details on SOC1, SOC and more....!!