Do certification audits also suck?

This post why do pen-tests suck? triggered my thoughts I started thinking about the certification audits.

I have personal experiences of dealing with ISO27001 auditors from certifying companies with very limited knowledge in IT infrastructure & technical areas and some of them are even from non-it backgrounds (I have seen audit findings in all CAPS :-) ). Without this crucial knowledge they will not be able to find any gaps hence the audit will be ineffective. I am also aware of the option/process of having a domain expert during an audit; perhaps this is not practiced as it might uncover too many gaps that may be expensive to fix.

If certifying company auditors do comprehensive job I am sure things would change…

Posted via email from Ramki's posterous