Originally posted here by nihil

You can have the crappest policies, processes and procedures on earth, but so long as they are properly documented and adhered to, you will pass certification.
I hope you're wrong there but somehow I doubt it

But it is the way in which most organisation rate their security or are rated. Real tests like a Pen test only make up a little of how secure you are percived to be.

I still find it hard to get my head round it sometimes. "We can't get hacked, I've got a great policy in place".

It's all just paper shuffling unless the policies and procedures (if they are good) are being followed and that has to be checked for compliance regularly. And that's why everyone hates me and I'm not even part of internal audit.