Skip to content
Kellwick
← All articles
Vanta / Drata / Sprinto

Vanta vs a Real ISMS: Why Green Checks Are Not Audit-Ready

Compliance platforms collect evidence beautifully. They cannot decide whether your scope, risks, Statement of Applicability, control ownership and evidence quality make sense. Here is the gap - and how to close it.

By Kellwick Team · July 1, 2026 · 7 min read

Vanta, Drata and Sprinto are good tools. They automate the tedious parts of ISO 27001 and SOC 2 with real skill, and most teams under 250 people should use one. The problem is not the platform. The problem is what a wall of green checks quietly persuades you to believe: that a healthy dashboard and an audit-ready information security management system are the same thing. They are not, and the gap is where certification projects stall.

What compliance platforms genuinely do well

Start with credit where it is due. These platforms solve a real and expensive problem.

Continuous evidence collection is the headline feature, and it earns its place. Instead of screenshotting cloud configurations once a year in a panic, you get integrations that pull evidence from AWS, GitHub, Okta, your MDM and your HR system on a rolling basis. Drift gets caught in days instead of at the audit. That is a genuine improvement over the spreadsheet era.

Control mapping is the second real strength. The platform ships with a control framework, maps your evidence to it, and lets you reuse the same underlying tests across ISO 27001, SOC 2 and increasingly frameworks like PCI DSS. If you are chasing multiple attestations, this saves weeks.

Then there are the reminders. Access reviews, policy acknowledgements, security training, vendor re-reviews: the platform tracks the cadence and nudges the right people. For a lean team, that operational discipline is worth the subscription on its own.

None of this is marketing fluff. It is useful. But notice what all three strengths have in common. They collect, map and remind. They move information around efficiently. What they do not do is judge whether the information is right.

What the platform cannot decide for you

An ISMS is a set of decisions about risk, backed by evidence. The platform manages the evidence. You still own the decisions, and there are five it cannot make.

Scope sanity. The platform will happily certify whatever boundary you draw. It will not tell you the boundary is wrong. If you scope out the subsidiary that actually processes cardholder data, or scope in three legacy products you plan to sunset, every check can still go green while the scope is quietly indefensible. An auditor's first question is whether the scope matches the business. The dashboard has no opinion on that.

Whether risks are real and owned. Most platforms seed a generic risk register or let you import one. A list of plausible-sounding risks with no named owner, no realistic likelihood, and no link to an actual decision is theatre. The platform records that a risk register exists. It cannot tell you whether the risks are yours, whether the treatment reflects what you actually did, or whether anyone would recognise them in an interview.

Whether the Statement of Applicability matches reality. The SoA is the spine of an ISO 27001 audit. Every Annex A control is included or excluded with a justification, and the auditor holds you to it. Platforms make it easy to mark controls as applicable and attach evidence. They do not check that your justifications are honest, that an "implemented" control is actually operating, or that an exclusion is truly defensible. A tidy SoA that does not match how you really work is worse than an untidy one, because it invites the auditor to keep pulling threads.

Control ownership. A control with no accountable human is a control that will fail under questioning. The platform can assign a name to a task. It cannot make that person understand the control, run it, or explain it. Ownership is an organisational fact, not a field.

Evidence quality versus presence. This is the sharpest one. The platform is optimised to confirm that evidence exists. An auditor is trained to judge whether the evidence is good. A screenshot proving MFA is enabled somewhere is presence. Proof that MFA is enforced for every user in scope, with exceptions documented and reviewed, is quality. The gap between the two is exactly where a green check misleads you.

The classic failure mode: 98 percent green, then a rough audit

Here is the pattern we see repeatedly. A team stands up Vanta or Drata, connects the integrations, works through the tasks, and reaches 95 to 98 percent compliant over a few months. The dashboard looks superb. Leadership relaxes. The audit gets booked as a formality.

Then the auditor arrives and does not look at the dashboard the way the team expected.

The finished number created false confidence. Ninety-eight percent green measures how many automated checks are passing. It does not measure whether the scope is coherent, whether the risk treatment is real, whether owners can defend their controls, or whether the evidence survives scrutiny. Those are precisely the areas the platform does not score, and they are precisely the areas an auditor probes hardest. So the audit that was supposed to be a formality turns up nonconformities, and the team is surprised in the worst possible setting.

The dashboard was not lying. It was answering a narrower question than the one that matters.

How auditors test beyond the dashboard

Auditors know these platforms well. They are not impressed by a high completion percentage, because they understand what it does and does not cover. Two techniques break the dashboard illusion.

First, they sample. Rather than accept that access reviews happened, an auditor picks specific quarters and specific systems at random and asks to see that particular review, with the reviewer, the date, the leavers who should have been removed, and the actions taken. One weak sample suggests the process is decorative. The platform showing the task as complete is not the same as the task being done well.

Second, they interview owners. The auditor sits with the person named against a control and asks them to explain it in their own words. How does change management actually work here? Walk me through the last incident. Who approved this access, and why? If the owner cannot answer, the control fails, no matter how green it looked. You cannot automate your way through an interview.

Section by section: platform versus judgement

The clearest way to see the gap is control area by control area. In each, the platform does real work, and real judgement still sits outside it.

Scope. The platform tracks assets and evidence inside the boundary. Deciding where the boundary belongs, and defending it against the business reality, is yours.

Risk register. The platform stores risks, treatments and status. Whether the risks are genuine, correctly rated and actually treated the way you claim is judgement.

Statement of Applicability. The platform lets you mark controls applicable or excluded and attach evidence. Whether the justifications are honest and the excluded controls are truly out of scope is judgement.

Access reviews. The platform schedules the review and collects the export. Whether the reviewer looked properly, questioned odd access and removed leavers is judgement, and it is sampled hard.

Supplier risk. The platform stores vendor questionnaires and re-review dates. Whether you assessed the vendors that actually matter, and acted on what you found, is judgement.

Incidents. The platform logs tickets and timestamps. Whether incidents were classified correctly, escalated, learned from and fed back into controls is judgement.

Change and release. The platform can evidence that pull requests were reviewed and deploys were approved. Whether your real release process matches the documented one, including emergency changes, is judgement.

Management review. The platform reminds you to hold the meeting. Whether leadership genuinely reviewed performance, risks and resourcing, and made decisions, is judgement, and it needs minutes that prove it.

Internal audit. The platform can host findings. Whether the internal audit was independent, competent and covered the real risks, rather than rubber-stamping the dashboard, is judgement.

A practical compliance workspace cleanup

If your platform is green but you are not sure you are ready, do not add more checks. Clean up what you have. This is a method we run with clients, and you can run a first pass yourself.

Start with scope. Write one paragraph describing the boundary and test it against how the business actually operates. Fix any mismatch before touching anything else, because scope errors invalidate everything downstream.

Next, walk the SoA line by line. For every applicable control, ask whether the attached evidence would convince a stranger that the control operates, not merely that it exists. For every exclusion, ask whether you could defend it out loud. Flag the weak ones.

Then pressure-test the risk register. Remove generic risks that are not yours. Confirm each remaining risk has a real owner, a realistic rating, and a treatment that matches what you actually did.

Now sample yourself the way an auditor will. Pick two access reviews, two vendor assessments and one incident at random. Chase each to ground. If any falls apart, the process needs fixing, not the record.

Finally, interview your own owners. Ask three control owners to explain their control cold. Where they stumble, you have found your real gaps, long before an auditor does.

Bottom line

Compliance platforms are excellent at collecting, mapping and reminding. They are not built to decide whether your scope is sane, your risks are real and owned, your Statement of Applicability is honest, or your evidence is good rather than merely present. Those decisions are your ISMS, and they are what an auditor tests. A green dashboard is a useful head start. It is not the same as being audit-ready.

If your Vanta, Drata or Sprinto workspace is green and you want to know whether it would survive an audit, a Kellwick cleanup or readiness review turns the dashboard into judgement you can stand behind. We are an independent advisory, not a certification body, so our only job is to make sure you are genuinely ready before anyone official looks.

Need a second pair of eyes before the auditor does?

A readiness review shows exactly where your ISMS stands - and what to fix first - while there is still time to act on it.