cybersecurity

3030 readers

2 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 1 year ago

MODERATORS

[email protected]

Meaningful Infosec Company Certifications? (infosec.pub)

submitted 1 year ago by [email protected] to c/[email protected]

5 comments fedilink hide all child comments

Hi all,

I did a lot of research, but got the point where I wonder: Is there any real meaningful infosec certification a company could gain?

I can follow a lot of frameworks and do certifications on them (like ISO 27001, NIST CSF, ISACA COBIT, TISAX, etc.), but they all are looking at documents and processes which kind of prove the mindset, but not actual security.

I think about something like "company survived a 5-day pentest or regulary does blue team exercises", etc., which show that the company can detect and respond and not only write documents.

Does anyone know about something like that? Or does this simply don't exists yet?

Thanks for the input!

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 1 year ago

I don’t have the document on hand while writing this, but I believe ISO27001 and most other certs have controls around regular pentests on an organization’s infrastructure and applications, and they ask for evidence that those are done regularly and ask for proof of remediation of findings during audits. While they don’t directly ask if “company survived a 5 day red team exercise”, the control processes they check for indirectly checks for those. And yes, it largely depends on how technical and how deep the auditor wants to go.