You're a cynic

Depends on the organisation wether they are planing to use the standard as a basis for best practice or simply use the certification as a marketing exercise.

We fall into the former. The standard gives us a guide from which we can develop policies/ standards and procedures to keep us reasonable secure relative to the information assetts we hold.

We can then check compliance with the standards we've developed to check that we are staying secure.

We've developed metrics based on the standards to let us show improvements in our security perfomance and to show gaps where we need to work in the future.

Standards are not the be all and end all and it would be a fallacy to think that, but they are a usefull aid/tool to develop best practive within an organisation and to monitor security performance for year to year.

The standard itself has recommendations to perform more practical tests such as pen tests. Employees writing down passwords would not be following the ISMS, developed from the standard (9.3.1 Password use) and in addition would be breaking the security policy (3.1.1).


If you are able to come up will all the policies and documents to cover all your needs then fine you would have no need for BS7799 unless the certification would be a usefull selling point.
But the standard provides a lot of help to organisations needing to develop their security and being comlipliant (not certified) with the standard would improve the security (and mindset) in a lot of organisation.