I'm always wondering whether these very abstract and incoherent standards actually improve or damage _actual_ real world security practices. I've seen whole departments at companies that used to be very focussed on protecting customer and company data shift focus to compliance measures with the effect of actual security getting worse in the process.
The standards are not incoherent. However by design they need to be abstract to apply across very diverse businesses.
I've implemented ISO 27001 myself (solo dev founder, 6 person company, USD2mn SaaS). The divergence in quality of the implementation depends on whether the company is actually using IS027001/SOC2 as a tool to formally define, implement and monitor information security or finding the path of least resistance to accreditation.
