ISO 27001 is a standard for how to do policy. So from ISO 27001's point of view this is fine:
"Our policy is we'll do anything to make a buck".
The ISO standard sets out a correct way to develop this policy, write it down, ensure employees know about it, measure whether they're implementing it, and then for auditors to reassure management that all this is being done as described. But it doesn't say there's anything wrong with that policy I mentioned, beyond that maybe your ISO 27001 consultants will struggle to charge their usual fees for such a short and on-the-nose policy document.
It also matters who the auditors work for, and who they report to. Have you /read/ the audit reports for your ISP? No? Because they're confidential, only the ISP sees them. So, what use are they to you? For all you know the auditors found that the ISP doesn't comply with its own policies and shows no interest in doing so.
If you later find out the ISP isn't complying but the audit reports said everything was fine, you'll never know about that, and you can't fire the audit firm and get a better one, all of this is totally opaque to you.
In contrast Mozilla gets to insist upon reading the audit reports for the policy they agreed with Cloudflare and can insist upon a different audit firm if it decides the auditors aren't up to scratch. This has happened with CA root trust, the Hong Kong auditors for WoSign were disqualified in this way and the franchise owner's office in London informed of the problem.
Now, maybe you don't trust Mozilla either, but if you're running their web browser you're in a real pickle if you don't trust them. And if you don't run their browser who cares which TRR is configured in the browser you don't run?
