27001 is about security* management not technology. That's why (unlike, say, PCI-DSS) it doesn't need to change every 6 months to reflect changes in hardware and software.
Of course, just because an organisation has 27001 certification doesn't mean it's necessarily secure. What it does mean is that they must have in place the mechanisms to deliver the level of security appropriate for their needs. Top tip - check the scope of the 27001 registration to ensure that it doesn't just cover one server in a cupboard; better still, check the Statement of Applicability.
* I know it's been said before, but it bears repeating: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." - Bruce Schneier