Until now, I have been extremely confused about the ISO certs, for instance, ISO 27001. There is a company that provides ISO 27001 compliance so their client meets the ISO. Does it mean the consultant company already had ISO 27001 so they can guide other companies that paid them?