The whole Delve saga is just the tip of the iceberg in security compliance, I think. These platforms are for evidence collection. Some are good at it. But they are not a proof of compliance, far from it.
ISO/IEC 27001 and SOC 2 Type 2 are meant to provide assurance to customers and stakeholders that the organisation's controls operate effectively, over time, with many controls being validated yearly. So how can an attestation be issued within weeks?
The problem is that most of these platforms are just quickly scanning a few apps, checking some basic controls, and provide a beautiful all green report. Then these so-called "auditor" reviews the report, happily confirms it says what the platform says, and signs it off.
Have all key systems and processes properly identified? 🤷 Are the relevant controls in place to mitigate the risks? 🤷 Have all these controls been tested adequately? 🤷
If audited properly, I'm ready to bet that many would not even pass Essential Eight Level 1.
To be meaningful (aka improve security, privacy, assurance), compliance should not be a check-box exercise. It should be treated as a good exercise to learn and improve. And it does not mean it has to be long, painful and use clunky spreadsheets. Tools are fine, when used for the right reasons.
I truly hope ISO and AICPA start reviewing this seriously. This is putting the trust we have in these accreditations at risk.