The dangers of narrow scopes of applicability
Accreditation of an ISMS can give you several choices. One choice is your Risk Assessment method, another is your Scope, expressed in the Statement Of Applicability, and you can choose to leave some controls out as well, if you can explain why they don't apply to you.
Choice is generally speaking good. But for accreditation, this brings a reputation issue. The reputation of a certificate holder is as good as the market perception of the performance of the worst of all certificate holders. Education certifications and diplomas, for example, carry more reputation the LESS choice you have in your studies, not the more choice you have. Doctors can't choose not to take Anatomy, but Arts can study nearly anything (depending on what country are you based)
The existence and significance of the Statement Of Applicability is well beyond anyone how is not a specialist. This means it is possible to choose a very narrow SOA, totally unrelated to your critical systems for the sake of getting accredited, regardless of your real information security posture. This is bad for certificate holders that choose real SOAs, as their competition can get the same reputation for a far smaller investment. Another side effect of choice (SOA et al) is that a big financial company with several sites get as easily certified as a small technology company with only one site. I think that is BAD, as the effort, resources and quality of implementation can be quite different. If I ran a big company I wouldn't specially like to spend a lot time, effort and resources to get a certificate that just anyone can have, doing far less. Another side effect of wild choice is that a big financial company with several sites get as easily certified as a small technology company with only one site. Again, I think this is BAD, as simple technology infrastructure should be simpler to secure than a complex one.
If you liked this article, consider taking advanced ISMS training online via Udemy