Absolutely worthless pieces of paper. We had the ISO 270001 and the physical security "walk tour" or whatever it's called; I could've outsourced that to a bunch of preschoolers walking around the offices and data center rooms and would've gotten the same result. The only _actually_ working way to protect your org is to continuously attack your own systems and see what part of it breaks or leaks data.