Is the ISO 27001 certificate a fig leaf?

What is the ISO 27001 certificate good for if we all know that - 1. it's quite easy to get (matter of money and the "right" auditor), 2. it's no guarantee we will be secure. 

Quick answer: ISO 27001 is not about preventing security breaches. It is about proving that security is managed and systemic, not improvised and random.

It is a management system, not a security solution

ISO 27001 does not promise:

“you won’t get hacked”.

It promises:

“you will systematically (objectively) manage cybersecurity risks.”

That difference is important.

If top management wants:

• zero risk → can't be done
• absolute security → impossible
• reasonable assurance, accountability, and business credibility → ISO 27001 makes sense

On the other side, the value of ISO 27001 degrades

It happens because the certificate stopped being a quality signal and became a market access ticket, just like ISO 9001.

Once ISO 27001 became:

• a prerequisite for sales,
• a shop window to customers,
• a checkbox in RFPs, or
• a procurement filter,

the certification (auditing) bodies compete to get the business the easiest way not to assess a company with proper rigor.

The ISO 27001 certificate can easily become just a fig leave: your nudity (poor security) is covered only by a tiny piece of paper.