[PeterisP]

Yes, it's not practical, and by design. In effect, this is simply acknowledging the reality that if they want to ensure a certain process, then someone has to bear the overhead of monitoring and control; so if a company wants to buy some sensitive service from a solo founder or a smallish company then they have to take responsibility themselves, and they can only delegate this duty to vendors only if the vendor actually has certified capability to do this high-overhead process.

It has some parallels to earlier initiatives like PCI DSS for payment cards which effectively said "If you can't do this list of requirements, then you'll have to delegate the sensitive stuff to someone who can", ensuring that every mom&pop pizza shop doesn't have a full list of their customers credit card numbers unencrypted on a publicly exposed database. It doesn't prevent all breaches, of course, but it did make them fewer.