The extensive organizational dependence on information technology (IT), along with worsening impact of information security incidents, has made information security one of the top management concerns. The ISO 27001 standard provides guidance to a sound information security management system (ISMS). However, implementation and accreditation costs can also be considerable. In this study, we explored whether the certification can benefit organizations by signaling the management's attitude toward security management and the appropriateness of ISMS implementation. We investigated firm performance after the ISO 27001 certification with samples from the United States and selected European countries. Different from our expectation, we found no evidence that ISO 27001 certification brought benefits to the certified firm in terms of return-on-assets and stock market performance. We attributed the results to the nature of ISO 27001 that a good information security management would be seen as an obligation, instead of a competitive advantage.