Say you have to outsource the storage of your corporate data.
Say you have to assess the quality of a couple of (apparently) both “good looking” potential suppliers that give you both access housing/cloud services.
Say both of them are “ISO 27000-1 Certified”.
Which are you going to choose?
Answer: ask to see the “perimeter” that has been certified.
In other words: advertising on the corporate website or wherever else that a company is “ISO 27000-1 compliant” doesn’t always means that the WHOLE company actually is.
Maybe the certification has been obtained for the data-centre only, or just for a small part of the infrastructure, or – say – for the financial departement.
Thus, a fair use of the “label” would be a statement like this: “we are ISO 27000-1 certified for X,Y,Z” instead of a simpler (and deceptive) “we’ve got the ISO 27000-1”.
Next time, ask first.