A cloud infrastructure provider in Southeast Asia had already earned its ISO 27001 certification. The problem was everything that came after: maintaining the program, expanding to ISO 27017, and doing it all inside a heavily customized, self-hosted environment that most compliance platforms were never designed to support. The team seriously considered building their own compliance system. In the end, an approaching audit deadline and the real cost of internal development made that option harder to justify than it first appeared.
[ The Problem ]
Certified but buried in manual compliance work, with a harder framework expansion ahead
Holding an ISO 27001 certification is not the same as running an efficient compliance program. For this team, evidence collection had become the most time-consuming part of the job, pulling focus away from the infrastructure work that actually drove the business.
The situation was about to get more complex. Expanding to ISO 27017 while managing a VMware-based private cloud environment meant standard compliance tooling would not fit without significant rework. The fallback was to keep doing things manually, but that path made framework expansion slower and harder to scale as the business grew across Southeast Asia.
[ What they needed ]
The team needed a compliance operating model that could handle all of the following:
- Reduce the manual burden of ongoing ISO 27001 evidence collection
- Extend coverage to ISO 27017 without rebuilding the compliance program from scratch
- Support self-hosted VMware infrastructure and custom vulnerability management tooling
- Allow custom evidence submission rather than forcing a SaaS-native data model
- Preserve flexibility for a highly automated, non-standard internal environment
- Get a working solution in place before the next audit cycle
[ Why Drata won ]
Drata won because it delivered a faster path to audit readiness than an internal build could, at a point when time and resourcing made that gap impossible to ignore.
Custom ingestion path was credible, not theoretical: The proof of concept showed API documentation and a working custom connector flow. The security lead concluded the team had the skills to make it work, which shifted the technical risk from a blocker to a manageable implementation task.
Speed to audit readiness beat the internal build option: The buyer explicitly favored Drata because of time constraints and the lack of internal investment available for a custom compliance system. An approaching Q3 audit made that tradeoff concrete rather than abstract.
Multi-framework coverage removed a future decision: ISO 27001 and ISO 27017 in a single platform, with a path toward additional frameworks, meant the team was not solving only the immediate problem. The platform could grow with the compliance program.
Partner coordination maintained momentum through a technically demanding evaluation: The managed service partner confirmed budget reality early and helped keep the evaluation on track through a complex proof of concept, reducing the risk that the process would revert to a do-it-yourself conclusion.
[ How Drata solved it ]
The evaluation centered on one question: could Drata adapt to an infrastructure-heavy environment without forcing the team to change how they operated. Drata's custom connector framework and API documentation answered that question directly during the proof of concept, demonstrating a credible path for ingesting evidence from self-hosted systems rather than relying on out-of-the-box SaaS integrations.
ISO 27001 and ISO 27017 coverage within a single platform meant the team could manage both frameworks without maintaining separate tools or processes. Custom controls and framework mapping gave the security team the configurability they needed to preserve existing infrastructure patterns rather than conforming to a standardized compliance model.
The combination of platform flexibility and a defined implementation timeline made Drata the more executable choice against the internal build alternative, particularly with an audit deadline creating real urgency around time to value.
[ Before and after Drata ]
Before Drata, the compliance program ran on manual evidence collection with no scalable path to framework expansion in a self-hosted environment. After, the team has a platform with a defined custom integration path, multi-framework coverage, and an audit preparation workflow that replaces the manual processes that had constrained the program.
[ Business outcome ]
The team moved forward with a compliance platform that fits their environment rather than one that requires them to rebuild around it. Evidence collection shifts from a manual, time-intensive process to a structured, repeatable workflow supported by custom integrations the team can build and maintain themselves.
With ISO 27017 coverage now accessible within the same platform, framework expansion becomes a planned extension rather than a separate project. The audit cycle that drove the decision now has a defined preparation path, and the team enters it with tooling in place rather than relying on the same manual processes that created the problem.