Poor Cloud7Works. The plucky Leesburg VA company, which has numerous Federal contracts and provides IT services to government clients, posted its shiny new ISO 27001 certificate and thought everything would be great. Until it wasn’t, and they deleted the post just two hours later.
You see, the ISO 27001 certificate they posted was issued by an Indian certificate mill called GMSQR. That company claims to be out of Massachusetts (via post office box, of course) but is actually located in Bengaluru, India. They boast an “accreditation” mark from Steven Kenneally’s made-up accreditation body AIAO-BAR, which Kenneally originally formed so he could accredit his own certificates through “American Global Standards” (AGS). You might recall Kenneally as the guy who does “Virtual Cert”, under which he sells certificates without any normal audit at all, and as the guy who was sued by RAB for using their logs without permission.
It seems Kenneally has expanded his empire by selling accreditation marks to Indian certificate mills now. GMSQR grabbed onto that train, and now Cloud7Works bought themselves a certificate bearing these dubious logos.
I posted on LinkedIn that Cloud7Works might want to check deeper since AIAO-BAR isn’t an IAF member, and Federal contracting officers tend to check the validity of ISO certificates for such things. It could well end up that Cloud7Works’ customers would reject their ISO 27001 cert, or the company might even be debarred outright for false claims. Rather than say “Thanks” and show some concern, though, they pulled a shady and deleted the post. Hmm.
But this older one from late 2024 is still up, showing Cloud7Works also got an ISO 9001 certificate from the Indian mill, too. In this case, they cut off the bottom for some reason, but you can see it’s the same company certificate:
Needless to say, none of these certificates show up in IAF CertSearch because mills don’t comply with IAF rules or ISO accreditation standards.
I’m fairly exhausted by defense contractors from the Capitol district who have to go all the way to India to get ISO certificates when there are dozens of auditors working for fully accredited certification bodies within driving distance of their building. The region is lousy with ISO auditors.
However, all of this could be explained away by stupidity and not specifically malice.
Cloud7Works’ CEO is Madhu Vattipulusu, got his bachelor’s degree at Jawaharlal Nehru Technological University in the eastern state of Andhra Pradesh, India. Around 2000 or so, he emigrated to the US and finished his education here, and in 2016 launched Cloud7Works. It could simply be that he wanted to support other Indians and hire an Indian CB. But it’s sus AF for a defense contract to go that far out of their way to hire a scammer. It certainly looks like Cloud7Works really, really wanted a fake cert.
Did Cloud7Works even get audited? It’s doubtful. These scammers typically accept a quick wire transfer and send the certificate over as a PDF five minutes later. Without proper accreditation, it’s not like anyone checks. With ISO 27001, that can be important, too, since there could be some on-site things the CB needs to verify in order to issue the certificate. But we may never know.
I suppose we will see if Cloud7Works dumps its bogus ISO certs and gets real ones now that they exposed themselves on social media with their own public posts.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
