Comment by Aaronstotle

As someone who is on the side interacting with auditors, it's pretty obvious they don't know what they're talking about. I've filled out numerous questionnaires where the questions themselves don't make sense, however, the auditors usually don't have the technical knowledge.

The whole process is frustrating because these certifications are supposed to improve security and usually they create busy-work that takes resources away from developing/implementing security.