Your compliance dashboard shows 93 controls passing. Your ISO 27001 internal audit asks whether the evidence behind those controls would survive a certification body visit. Different question. Different answer.
I see this constantly. Organisations assume their compliance platform covers the internal audit. Controls are live. Evidence is never evaluated. And when the CB arrives for surveillance, the internal audit record that Clause 9.2 requires either doesn't exist or falls apart under scrutiny.
What compliance platforms do (and don't do)
Vanta and Drata connect to your live systems — AWS, Okta, GitHub, Azure AD — and check that your technical controls are operating. MFA is enabled. Encryption is on. Access reviews are scheduled. That's useful. It cuts the time between a control failing and someone noticing.
But it answers one question: are your controls running right now?
It doesn't answer the question your internal audit needs to answer.
What Clause 9.2 actually asks for
ISO 27001:2022 Clause 9.2 requires internal audits at planned intervals. In practice, a qualified auditor evaluates your evidence — policies, procedures, risk treatment plans, training records, management review minutes — against each relevant clause and Annex A control. For each, they reach a finding: Conforming, Minor Non-Conformity, Major Non-Conformity, or Observation.
That's not a dashboard check. It's a structured evaluation conducted in line with ISO 19011:2018 auditing principles. The output is a report with clause-level findings, evidence citations, and a conclusion signed off by a lead auditor.
Your compliance platform can't produce that. It wasn't built to.
Where this gap catches people
The gap shows up at the worst time: when the certification body arrives.
The CB asks to see your internal audit record. Not your monitoring dashboard. Your audit record. They want evidence of a structured ISMS evaluation, clause-level findings, qualified auditor review, and non-conformities tracked through to corrective action.
If what you hand them is a Vanta export showing control pass/fail status, they'll ask where the audit is. A passing control tells you the control is running. An audit finding tells you whether the evidence behind that control — the policy, the procedure, the training record — is sufficient against the standard's requirements. Those are different things.
I've watched organisations discover this mid-surveillance. It costs them extra audit days, additional findings, and a scramble to produce what should have been ready months earlier.
They're complementary, not the same thing
None of this is a criticism of Vanta or Drata. They do something internal audit doesn't: real-time control monitoring. An internal audit happens at a point in time. Monitoring happens every day. Most organisations need both.
The mistake is thinking one covers the other.
Manylder handles the part compliance platforms don't: a complete ISO 27001 internal audit, end to end. I review your evidence clause by clause, confirm every finding, and deliver a structured report with evidence citations and confidence scores. Not a dashboard export. An audit.
Your Vanta dashboard shows your controls are passing. Manylder shows what your auditor needs to know.