Problem
"ISO 27001 is a standard that can be used by all these sectors [healthcare, transportation, telecommunications, finance, food supply, utilities, public services and others - my addition for clarity] and is not dependent on whether the organisation is small, medium and large sized company."
Does this have the risk of making it too generic, and not providing sufficient practical and useful guidance to organisations?
References
Humphreys E (2008) 'Information security management standards: Compliance, governance and risk management', Information Security Technical Report, 13(4):247-255.
ISO (2013) ISO/IEC 27002:2013 Information technology - Security techniques - Code of practice for information security controls, International Standards Organisation, Switzerland.
Whitman ME and Mattord HJ (2019) Management of information security, 6th edn, Cengage Learning, Stamford, CT.