80% of Compliance has always been a performative box checking exercise.

They delivered the product that every company wanted - make the box checking faster.

Nah. I’m gonna name some names.

I had a client in the compliance space - they handle detailed product information for Apple, Boeing, BAE systems, Philips, Siemens - you know, nothing important, just literally classified material and incredibly sensitive corporate material.

Anyway. We did ISO27001. We did it well, audited by Lloyds register, reputable stuff all the way down. Built actual meaningful processes.

Anyway, a massive PE entity bought them in a hostile takeover, fired everybody, binned the ISMS, moved to some “compliance” goons.

I saw the box ticking chicanery as it happened - as after firing everyone they of course didn’t follow the off boarding process, so I retained full access to their JIRA. I only lost access a year later when atlassian terminated the account for non-payment.

Nobody actually gives a shit, about anything.

> I’m gonna name some names.

*Doesn’t name any names.*

Not that I want you to, I feel it would open you up to libel exposure. But can we both acknowledge that you didn’t name the entity that coasted through their audit?