Vanta misses a lot of things to cover iso27001, and clearly misunderstand this norm at times.

The integrations are what makes it really useful, but elements are not correctly connected between them, or are too limited to be useful : for instance access review information tells you who is an "admin", but ignores the various permissions levels (e.g: on GitHub, you can be an admin of a repository) which exists on each platforms. So let's say you are using rbac access policies, then all vanta integrations are meaningless because you cannot check roles, and you have to build /buy another tool...

Their policy builder is a bad joke, slow, incomplete, and you lose all automations when you need to change even one word.
The default policies are quite bad anyway, very long and complex, pushing you to use forms which are not integrated into the platform, so again you have to maintain a duplicate system elsewhere.

Generally speaking, there's no help to keep in sync policies with processes and proofs, and let me tell you it goes out of sync very fast!