SaaS
Vanta had been deployed for eight months and everything showed green. An enterprise deal was blocked on ISO 27001, and the evidence behind the checks turned out to be thinner than the dashboard implied.
A compliance platform is very good at confirming that evidence exists. It cannot decide whether the scope, risks and control ownership make sense, or whether the human process behind each green check is real. That judgement is exactly the part an auditor tests - and it was missing.
Finding 01
Around 30 controls were marked implemented with no artefact an auditor would accept - presence, not proof.
Finding 02
Vanta showed identity providers 'connected'. Nobody had ever sat down and reviewed who had access to what and signed it off.
Finding 03
No product-specific risks: multi-tenancy, customer data export, third-party sub-processors, deployment access - none appeared.
Finding 04
Sub-processor documents were gathered automatically but no one had judged whether the suppliers were acceptable.
Finding 05
'We have backups' was the answer. There was no evidence a restore had ever succeeded.
The team went into Stage 1 with evidence that matched the SoA rather than a dashboard of green checks, and unblocked the enterprise security review that had stalled the deal. The platform stayed - it was finally telling the truth.
A compliance platform collects evidence. It cannot tell you whether the evidence is any good. The gap between a green check and a defensible control is exactly where the auditor - and your enterprise buyer - will look.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.