Vanta is one of the most common GRC platforms we encounter in ISO 27001 engagements. It has changed the audit experience in real ways: evidence is better organized, policy versions are tracked, and automated checks surface configuration drift that used to go unnoticed until fieldwork. For SOC 2 engagements the same observations apply.
But a passing Vanta score and audit-readiness are not the same thing. The clients who arrive at opening meetings with gaps are usually not the ones who ignored compliance — they are the ones who assumed the platform covered more than it does. This post is the auditor’s honest assessment: what Vanta gets right, where the gaps consistently appear, and what to fix before fieldwork begins.
What Vanta gets right
The strongest value Vanta delivers is continuous, automated monitoring of cloud infrastructure and identity controls. For organizations running on AWS, GCP, or Azure, Vanta surfaces configuration state — encryption at rest and in transit, logging enabled or not, public-facing buckets, security group permissiveness — without someone having to manually pull that evidence before every audit. That matters. Auditors spend less time chasing screenshots and more time on substantive questions.
The identity and access integrations are similarly useful. Okta, Google Workspace, and AWS IAM checks give a continuous view of MFA enforcement, inactive accounts, and privileged access that is difficult to fake or approximate with manual evidence. When those checks are passing and current, the auditor can move quickly through the access control sections of the standard.
Beyond infrastructure, Vanta provides genuine value in a few other areas:
- Endpoint and MDM checks via Jamf, Kandji, or Intune — device encryption, screen lock enforcement, OS patch status
- Version-controlled policy templates with approval workflows, which reduces the common problem of unsigned, undated policies floating around in Google Drive
- Vendor questionnaire tracking with completion status, which gives supplier reviews a structure they often lack
- Corrective action task tracking with owners and due dates, which reduces the unmanaged open-finding problem
None of this is cosmetic. When these areas are well-maintained, the audit runs faster and findings are fewer. The platform genuinely helps.
Where the gaps are
The problem is not that Vanta is weak. The problem is that the platform creates a confidence that is not always calibrated to what ISO 27001 actually requires. Here are the gaps we encounter consistently.
People controls (Annex A.6)
Vanta can track whether an onboarding or offboarding workflow was completed. It cannot verify whether a security briefing was substantive, whether role-specific training was appropriate to the person’s actual responsibilities, or whether staff who handle sensitive data understand what that means in practice.
What auditors need for people controls is records with dates, populations, and some evidence of effectiveness — not just a completed task checkbox. Training reports should show who was in scope, who completed the training, when they completed it, and who is overdue. That evidence rarely lives in Vanta.
Physical controls (Annex A.7)
Very little in Annex A.7 is automatable via a SaaS platform. Physical access logs, clean desk checks, visitor management records, locked screen observations, and secure disposal evidence are all manual. Vanta-heavy clients frequently arrive audit week without this evidence because the platform gave them a sense of coverage that does not extend to physical space. If your organization has office premises in scope, physical evidence needs to be gathered and organized before fieldwork — not during it.
Organizational controls (Annex A.5)
Policies exist in Vanta, but several organizational control gaps appear consistently. The Statement of Applicability typically lives outside the platform — in a spreadsheet or Confluence — and its linkage to risk treatment decisions is rarely maintained. An SoA that says a control is implemented while the risk treatment plan shows it as still open is an easy finding that the platform will not catch.
Information classification is another example. Vanta can document a classification scheme, but it cannot verify that staff actually label documents correctly or handle data at the right classification level. Similarly, third-party agreements may be uploaded to the vendor register, but uploaded does not mean reviewed for whether they contain the security provisions the standard requires.
Clauses 4–6: Context, leadership, and planning
Vanta does not attempt to cover Clauses 4 through 6, and that is appropriate — context of the organization, interested parties, ISMS scope boundaries, and leadership commitment are not things a platform can assess. The issue is that organizations using Vanta for a first ISO 27001 audit often assume the platform’s framework covers the whole standard.
These clauses are consistently the richest source of findings in Vanta-led engagements: interested-party analysis that has never been updated, scope statements that do not reflect what the organization actually does, leadership commitment evidenced only by a signed policy with no supporting management review record. None of that shows up in the Vanta dashboard.
The stale integration problem
A disconnected AWS account or an expired Okta API token means automated checks stop running. By default, Vanta does not make this failure prominent. We have seen organizations arrive at opening meetings with automated evidence that is 60 to 90 days old because an integration broke and no one noticed. The overall score looked fine. The underlying evidence was not.
Integration health is not a Vanta dashboard metric unless someone actively monitors it. It requires the same attention as any other operational task.
What to fix before fieldwork
If you are using Vanta and preparing for an ISO 27001 internal audit, the following six actions will close the most common gaps before the auditor arrives.
1. Audit every integration for freshness
Log into each connected integration and confirm it is active. Check when evidence was last collected for each check. Target: nothing older than 30 days at the opening meeting. If an integration is broken, fix it and let the checks run before fieldwork, not during.
2. Resolve all failing and at-risk tests
Do not arrive with a passing overall score that masks a set of overdue or failing checks. Auditors look at the failing items first. An organization with ten unresolved failing checks and a green aggregate score creates immediate questions about whether the platform is being managed or just present.
3. Pull manual evidence for people and physical controls
Before fieldwork begins, gather training completion reports with dates and populations, physical access logs, visitor records where applicable, and any clean desk or screen lock observation records. These do not appear in Vanta. Collecting them during the audit instead of before it slows fieldwork and signals that evidence management is reactive.
4. Map your SoA against Vanta’s control coverage
Go through your Statement of Applicability and identify every Annex A control that is marked applicable but has no corresponding automated Vanta check. Those controls need manual evidence. This mapping exercise typically surfaces a significant number of controls with no automated coverage — primarily in the organizational, people, and physical categories.
5. Check vendor entries have completed questionnaires
A vendor listed in Vanta with no completed risk questionnaire and no contract attachment is an open finding. Review your vendor register and close outstanding questionnaires before the audit. Pay particular attention to critical suppliers — cloud providers, subprocessors, and any third party with access to sensitive systems or data.
6. Verify policy versions are approved and current
Check that the approver shown on each policy is still in role, the review date has not lapsed, and the version in Vanta matches what staff actually follow. Policy drift between the platform and practice is one of the most common easy findings in Vanta-using organizations — the document looks controlled, but no one has reviewed it since the initial setup.
The platform is a tool, not a program
Vanta reduces the burden of evidence collection meaningfully. It automates monitoring that would otherwise require significant manual effort and makes audit preparation faster for organizations that maintain it well.
What it does not do is replace the judgment calls that ISO 27001 requires: on scope, on risk, on what leadership commitment looks like in practice, and on whether people and physical controls are operating as documented. The standard requires an information security management system, not a compliance dashboard. Those are related but not the same thing.
The clients who arrive audit-ready with Vanta are the ones who understand what the platform covers and have already filled the gaps it does not. That gap-filling is the work.