If you recall, Oxebridge filed a formal complaint against Lazarus Alliance, an officially authorized CMMC auditing body (called a “C3PAO” in CMMC parlance.) That complaint alleged over 30 violations of the official CMMC Code of Conduct, ISO 17020, and other requirements. In response, Lazarus’ CEO falsely claimed Oxebridge was engaged in “criminal social engineering,” and rejected the matter outright. It was then escalated to the Cyber AB, who confirmed receipt and claimed to be processing the complaint.
Now we’ve found that Lazarus’ questionable activities don’t stop there. We reported previously that Lazarus is accredited to issue ISO 9001 and ISO 27001 certificates, but that their accreditation is a fake “accreditation mill” operating out of Egypt. This makes Lazarus a literal “certificate mill” under the current understanding of the term, as referencing bodies that are either self-accredited or hold fake accreditation from non-IAF member accreditation bodies. Had Lazarus wanted to issue real ISO 9001 or 27001 certificates, there are multiple bodies right in the US they could have obtained accreditation from, such as ANAB or IAS.
Of course, with the IAF’s recent moves to effectively stop enforcing ISO 17011, this effectively makes all ISO certification bodies “mills” now, so the term’s definition may be changing.
Fake Award Claims
More recently, however, I checked into the various “Awards and Accolades” claimed by Lazarus on their website. These include a number of awards myself and others could not confirm actually existed, such as Tech Times’ “Top 5 Cybersecurity Consulting Provider” ranking for 2023; Tycoon Success’ “Top 10 Most Impactful Cybersecurity Companies to Watch in 2024“; and Enterprise Security Magazine’s “Top 10 Vulnerability Management Consulting/Services Companies 2019.” None of those publishers listed anything related to Lazarus at all.
Two other awards were then reported by the issuing party to have never been given to Lazarus at all. The Lazarus website claims it was awarded “Top 10 Most Promising Enterprise Risk Management Services Companies” and “Top 10 Most Promising Compliance Technology Consulting/Service Companies 2019″ by CIOReview, but the editors clarified to Oxebridge that this was not the case. Instead, CIOReview reported they had approached Lazarus COO Anna Dickerson about possibly pursuing the award and “she responded positively, expressing interest in scheduling a call. However, we did not receive any follow-up communication after the initial scheduling, even after a few follow-ups.” In a clarifying email, CIOReview then verified that it did not grant Lazarus Alliance “any official award, including the following titles currently displayed on their website,” referring to the two mentioned on its website.
Typically, these awards are “vanity awards,” and the recipients must pay for them; online reports suggest CIOReview awards cost about $3,000 a pop. It appears that while CIOReview approached them, Lazarus never bought the award, but then decided to claim they had been given it anyway.
Invisible Clients
I also couldn’t confirm the existence of some of the alleged customers that Lazarus then claims testimonials from. “Plurime” was listed as a former client, but I could not find any verifiable evidence that the company exists; its website is just a landing page, and its LinkedIn profile showed zero connections.
“Mint Social” does have employees listed on LinkedIn, but most are anonymous and/or focused on social media marketing. One verified employee was PR Manager Sujata Sinha, from India, but has no online posts — a bit odd for a “social media manager.” The Mint Social Facebook account had no entries since 2021, and the company’s website is shut down.
“Legal Metasource” could also not be verified; there’s no company website, no other evidence it exists, and the only mention of the name is on Lazarus’ own website.
Two of the testimonials are exactly the same but attributed to two different companies; however, there is an individual on LinkedIn who worked for both companies, so perhaps he gave it and Lazarus published it twice to make their testimonial list a bit bigger.
I did track down one testimonial that was at least partially legitimate. This one was presented as having come from the CISO at Fraud.net:
I contacted Rajeev Yadav — the actual CISO at Fraud.net — and he wrote that they “don’t use their services anymore. You can request them to take my comments off.”
Now, as usual, perhaps Lazarus has a completely honest and justified explanation for all of this. CIOReview isn’t the most reputable company in the world, being the issuer of vanity awards, so maybe their records aren’t accurate. But we can’t know that because Lazarus CEO Mike Roberts prefers to engage in defamation per se, falsely accusing me of being a criminal hacker, rather than provide what might be a really simple explanation.
The Cyber AB has assured Oxebridge that the complaint against Lazarus has been processed, and a final ruling on the matter will be made within a few days, once the AB has reviewed their response with legal counsel.
UPDATED 19 June 2025: Added response from Fraud.net CISO.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
