Opinion — Compliance Platforms

Today I’d like to share my opinion on compliance tools and platforms.

I’ve worked with these tools. I’ve tested and deployed them in production to get the maximum return possible for my clients.

TLDR: Don’t use these tools unless you know what you’re doing — meaning you truly understand the standards.

Examples of tools: Vanta, Drata, Secureframe, Sprinto, Conformio, Scytale.

Tools — Photo by Hunter Haley on Unsplash

The Good

These platforms connect to the organization’s systems — Azure, AWS, or Google Cloud — collect evidence continuously, verify configurations, and link them to various controls from ISO 27001, SOC 2, and PCI-DSS.

The auditor then sees evidence quickly, analyst comments, and can sample easily — which builds confidence in the strength of the security program.

The Bad

Remember: a compliance tool is not a security program (ISMS).

ISO 27001 is a management standard, not just a list of technical measures.

The tool helps you prove — not think. It does not define context, risks, priorities, or acceptance levels.

If your reality is modelled to “fit” the tool, that’s bad. Technology must serve strategy, never the reverse.

If the foundation is not in place, the tool creates an illusion of compliance — green indicators that should not be green.

I see a lot of generic copy-paste policies. That’s not reassuring for what comes next, since the policies are neither understood nor actually in place.

If the knowledge base lives in the platform, the organization becomes dependent on the vendor.

The Danger

A question I hear often: “If the auditor is included in the price, is it a real ISO 27001 certificate?”

Short answer: No.

Longer answer: a credible certificate is issued by an accredited certification body, traceable in a recognized registry.

Platforms can facilitate the audit and refer firms, but they must not be judge and party.

If a certificate is included in the platform payment, it is not a real certificate — it is a self-declaration of compliance.

Analogy: I’ve read a lot of books about the MBA and even done the exercises. Do I have an MBA?

Blog: Understanding the role of ISO certification and accreditation bodies.

When It’s Worth It

Governance actually exists (roles, responsibilities, committee, rhythm). Risk management is alive (threats, impacts, assumed decisions). Critical controls are in place (access, backups, logging, third-party management).

You want to become compliant with several standards you understand well.

In that context, the tool becomes the technical floor for monitoring, creating alerts, retaining evidence, and accelerating the audit.

The team saves time on paperwork to reinvest in security engineering and continuous improvement.

Key takeaway — If you don’t know the standards you want to apply well, you won’t save any money by going to these platforms.

Some Advice

Before any ISO 27001 implementation project, start with these reflections — with or without a tool.

  1. Choose the tool for integrations that are useful to you (cloud, MDM, CI/CD, HR, ITSM). Use only what can be maintained.
  2. Watch integrations — some tools integrate more easily with what the organization already has.
  3. Preserve autonomy. Keep an internal evidence repository (policies, procedures, scheduled exports). Audit processes must survive a tool change.
  4. Select the certification body early. Validate its accreditation and plan the 3-year cycle (certification + surveillance audits), independently of the platform. If an “audit included” is offered, require certificate traceability and the name of the accreditation body — otherwise, abstain.
  5. Use the platform for what it does best: automate evidence, detect changes, standardize multi-standard tracking. Keep governance, priorities, and risk acceptance outside the tool.
  6. Watch control A.5.29 (Disruption of activities): if the platform goes down, the ISMS is directly affected; a platform-specific continuity and recovery plan must be planned, documented, and tested periodically.

In short, these tools are very good… for organizations that know what they’re doing. In a mature organization, they’re a force multiplier and an antidote to audit chaos.

But in an organization that’s just starting, they can quickly become a fire.

Automation amplifies what exists — it does not replace judgment or risk management.

I believe strongly in the value of automation, structure, and assistance these tools can provide — but you have to be careful.

Regarding independence, I want to be clear: a “certificate” from a platform and not issued by an accredited body is a private attestation. It can help in a pinch, it can reassure temporarily, but it’s not perfect. If the target market requires ISO 27001, aim for real certification with a recognized body, and treat the auditor as an independent party. The platform will then be an excellent ally for delivering evidence without unnecessary effort.

I invite you to click “Follow” to keep learning about information security and privacy topics, and to check your website for free at loi25.certi360.com