@stefano Sounds like the common type of half-assed security audit by simply running down an excel checklist. I also have to deal with that a lot. Those companies tell the C-level they follow standards and C-level is happy because their D&O-Insurance is happy. I just bill that conversation and forget it.