If you already operate an ISO/IEC 27001:2022 ISMS, you may be able to leverage existing efforts to potentially reduce the duplication of work. Much of the documentation and operational evidence referenced during a SOC 2 engagement may already exist, but it is often organised, labelled, or contextualised differently from what SOC 2 auditors typically expect.
For SMEs and startups, a portion of SOC 2 effort may relate less to implementing new controls and more to the time spent recreating evidence that overlaps with ISO 27001 practices. This guide explains how ISO/IEC 27001:2022 Annex A controls commonly align with SOC 2 Trust Services Criteria (TSC) – particularly the Common Criteria (CC series). It also discusses how existing evidence artefacts may be reviewed and, in some cases, compared to SOC 2 evidence expectations to identify potential areas where duplication or rework might exist. Outcomes may vary depending on the auditor expectations and organisational context.
It is also helpful to note that SOC 2 is not a certification. It is an assurance report issued by a CPA firm, expressing an opinion on how selected controls were designed and operated over a defined review period. By contrast, ISO 27001 is a certification standard, where an accredited certification body assesses conformity of an information security management system against the standard’s requirements.
Why This Mapping Matters for SMEs
ISO 27001 and SOC 2 are often approached as separate compliance initiatives. In practice, they assess different aspects of the same underlying security environment:
- ISO 27001 focuses on whether a risk-based information security management system (ISMS) has been designed and maintained.
- SOC 2 evaluates whether selected controls, particularly under the Trust Services Criteria (Security / Common Criteria), operated consistently over a defined Type II review period.
The underlying security foundations often overlap. What typically differs is how evidence is scoped, aggregated, and presented to auditors.
Where ISO 27001 has been implemented with consistent operation and record-keeping, portions of the evidence referenced for SOC 2 Security may already exist. However, teams may still encounter issues if completeness, continuity, or evidence presentation expectations are misunderstood.
ISO 27001 vs SOC 2: What’s The Difference
Understanding how ISO/IEC 27001:2022 and SOC 2 differ helps SMEs and startups see where existing ISO artefacts may support SOC 2 preparation and where additional evidence may be needed.
|
Area |
ISO/IEC 27001:2022 |
SOC 2 |
|
Primary lens |
Risk-based ISMS |
Control effectiveness over time |
|
Structure |
Clauses + Annex A |
Trust Services Criteria |
|
Core criteria |
Annex A (4 themes, 93 controls) |
Common Criteria (CC1 – CC9) |
|
Evidence style |
Policies, registers, procedures |
Control narratives and testable evidence artefacts |
|
Audit scope |
Sampling is commonly applied |
Population-based testing using selected samples (Type II) |
|
Outcome |
Certification |
CPA attestation report |
Key insight:
- ISO 27001 focuses on whether security controls are designed and governed within a risk-based management system.
- SOC 2 focuses on whether selected controls operated consistently, completely, and as described during the review period.
The Correct Mental Model: Evidence Over Framework Labels
A common starting point is the question: “Which SOC 2 controls do we need to implement?”
A more practical framing is: “Which existing ISO/IEC 27001:2022 artefacts may be relevant when assessing SOC 2 Common Criteria (CC series)?”
During a SOC 2 Type II engagement, auditors typically focus on whether available evidence indicates that selected controls operated consistently throughout the review period. Alignment to ISO 27001 alone is generally not the primary consideration. Mapping ISO artefacts to relevant Trust Services Criteria (TSC) may help organisations reference existing documentation when discussing control operation, subject to audit scope, evidence coverage, and assessor judgment.
ISO 27001 to SOC 2 Evidence Crosswalk
This crosswalk illustrates how common ISO/IEC 27001:2022 artefacts are sometimes mapped with SOC 2 Trust Services Criteria (TSC). SMEs and startups can review existing documentation to see which artefacts might support SOC 2 evidence collection and where additional context or labelling may be helpful.
|
ISO/IEC 27001:2022 Artefact |
SOC 2 Evidence Role |
|
Risk Register |
CC3 (Risk Assessment) |
|
Statement of Applicability |
Control Justification (Maps to Section III / System Description) |
|
Access Control Policy |
CC6 (Logical and Physical Access Controls) |
|
Joiner–Mover–Leaver records |
CC6 (Logical and Physical Access Controls) |
|
Logging and monitoring logs |
CC7 (System Operations) |
|
Supplier risk assessments |
CC9.2 (Vendor and Business Partner Management) |
|
Incident register |
CC7.4 / CC7.5 (Incident Response and Remediation) |
|
Internal audit results |
CC4 (Monitoring of Controls) |
|
Management review minutes |
CC1 (Control Environment) |
Note: While these mappings are common in the industry, the final acceptance of any evidence artefact is subject to the professional judgment of your specific SOC 2 assessor.
The Technical Bridge: Annex A → SOC 2 Common Criteria
The tables below provide illustrative examples of ISO/IEC 27001:2022 controls mapped to SOC 2 Trust Services Criteria. They show where evidence artefacts may overlap and where additional documentation or context could be needed. Acceptance of any artefact depends on auditor judgment, scope, and review design.
Access Control
SMEs may observe that ISO 27001 access control artefacts can sometimes be relevant for SOC 2 evidence. The table below illustrates common alignment and potential challenges..
|
ISO/IEC 27001:2022 Control |
SOC 2 Criteria |
Indicative Evidence Reuse Potential |
Considerations |
|
A.5.15 (Access control) |
CC6.1 (Logical and Physical Access Controls) |
High |
Quarterly access reviews may be documented, not just performed |
|
A.5.18 (Access rights) |
CC6.2 / CC6.3 (User ID, Authentication, and Access) |
High |
CC6.2 requires proof of MFA. SOC 2 may consider evidence for all users rather than samples |
|
A.8.2 (Privileged access rights) |
CC6.3 (Authorization and Access) |
High |
Elevated access reviews may be documented explicitly |
|
A.8.3 (Information access restriction) |
CC6.6 (Access Removal on Termination) |
High |
Timely access removal may be recorded, depending on operational processes |
Change Management and System Operations
SMEs may find that artefacts created for ISO 27001 change management and system operations can partially support SOC 2 evidence collection.
|
ISO/IEC 27001:2022 Control |
SOC 2 Criteria |
Indicative Evidence Reuse Potential |
Considerations |
|
A.8.32 (Change management) |
CC8.1 (Change Management) |
High |
Evidence of change testing may be documented for each change, depending on operational practices |
|
A.8.9 (Configuration management) |
CC7.1 (System Component), CC7.2 (Monitoring) |
High |
Configuration baselines linked to a complete asset inventory and change-detection alerts may be recorded and available for review |
|
A.8.15 (Logging) |
CC7.2 (Monitoring and Detection) |
High |
Logs may cover the relevant period and illustrate system operations |
|
A.8.16 (Monitoring) |
CC7.3 (Anomaly Evaluation) |
High |
Alert review records may be retained and accessible for auditors |
Incident Management
Artefacts developed for ISO 27001 incident management may partially support SOC 2 evidence collection. SOC 2 auditors generally focus on how incidents were addressed and documented over the review period.
|
ISO/IEC 27001:2022 Control |
SOC 2 Criteria |
Indicative Evidence Reuse Potential |
Considerations |
|
A.5.24 (Information security incident management planning and preparation) |
CC7.4 (Incident Response) |
High |
Documentation of incident planning may support evidence, though SOC 2 may review actual incident handling |
|
A.5.25 (Assessment and decision on information security events) |
CC7.5 (Incident Remediation) |
High |
Root cause analyses may be available from prior ISO processes and could help illustrate control effectiveness |
|
A.5.26 (Response to information security incidents) |
CC7.5 (Incident Remediation) |
High |
Records of incident closure may be documented and accessible for auditors |
Vendor and Cloud Security
ISO 27001 supplier and cloud security artefacts may support SOC 2 evidence for vendor and cloud management. SMEs may find that existing assessments and contracts partially address SOC 2 criteria.
|
ISO/IEC 27001:2022 Control |
SOC 2 Criteria |
Indicative Evidence Reuse Potential |
Considerations |
|
A.5.19 (Information security in supplier relationship) |
CC9.2 (Vendor and Business Partner Management) |
High |
Vendor reviews may include relevant in-scope vendors; SOC 2 may focus on completeness and coverage |
|
A.5.20 (Addressing information security within supplier agreements) |
CC9.2 (Vendor and Business Partner Management) |
High |
Contracts may reflect security obligations; SOC 2 may request clarity on specific responsibilities |
|
A.5.23 (Information security for use of cloud services) |
CC9.3 (Service Provider Monitoring) |
High |
Shared responsibility may be documented; SOC 2 may review evidence of operational adherence |
Business Continuity and Availability
ISO 27001 business continuity artefacts may support SOC 2 evidence related to service availability. SMEs may find that some continuity planning and testing overlaps with SOC 2 expectations.
|
ISO/IEC 27001:2022 Control |
SOC 2 Criteria |
Indicative Evidence Reuse Potential |
Considerations |
|
A.5.30 (ICT readiness for business continuity) |
A1.2 (Availability Monitoring and Management) |
Moderate |
Recovery plans may be documented; SOC 2 may request evidence of tested recovery exercises or simulations |
Note: These illustrative mapping examples may be useful as reference only; acceptance of artefacts depends on auditor judgement, scope, and review design.
Pitfalls ISO-Certified Teams May Encounter
1. Population Completeness
ISO auditors may sample 3 – 5 items, while SOC 2 Type II audits select samples for testing from the full population over the audit period. Depending on system scope and audit design, this may include items such as:
- Every access change
- Every terminated user
- Every in-scope vendor
- Every production change
The specific population under review depends on system boundaries, control definitions, and audit scope.
Even when ISO artefacts are available, gaps in evidence coverage may be noted during SOC 2 reviews. SMEs may find that mapping existing ISO evidence to SOC 2 population requirements helps clarify coverage and reduce follow-up requests from auditors.
2. System Description Requirements
SOC 2 audits often expect a formal System Description (DC 200 / Section III) covering:
- System boundaries
- Infrastructure and software components
- Data flows
- Control responsibilities
ISO 27001 does not have a direct equivalent. While existing ISO evidence may map to SOC 2 controls, SMEs may be considered to provide context for controls; auditor review may vary. This can help reduce follow-up questions and improve alignment with SOC 2 expectations.
3. Evidence Continuity and Automation
Many SMEs use automation or GRC tools to collect ISO 27001 evidence. Consider the following:
- ISO audits may tolerate short gaps in documentation.
- SOC 2 audits may flag gaps as exceptions or request additional context.
For example, if an integration or automated workflow is unavailable for several weeks, ISO evidence review may proceed without issue, while SOC 2 auditors may seek supplementary records or clarifications. Clear ownership of evidence, along with consistent tracking and documentation practices, may assist in organising evidence and providing clarity, however, impact on audit outcomes is not guaranteed.
Beyond Security: Other SOC 2 Trust Services Criteria
Most SMEs start with Security (CC series), but some buyers also request evidence for additional SOC 2 Trust Services Criteria. Awareness of these areas can help SMEs identify potential evidence gaps.
Example: Availability
- SOC 2: A1.2 (Availability Monitoring and Management)
- ISO Mapping: A.5.30 (ICT readiness for business continuity)
- Evidence considerations: SMEs may consider providing disaster recovery testing results and restoration records to illustrate operational execution.
Example: Confidentiality
- SOC 2: C1.1 / C1.2 (Confidentiality Protection and Disposal)
- ISO Mapping: A.5.12 (Classification of information)
- Evidence considerations: Auditors typically expect records of secure data handling, including documented proof of disposal (e.g. certificates of destruction for hardware or deletion logs for cloud databases) to show that data is not retained beyond its defined lifecycle.
ISO 27001 provides the structural framework, while SOC 2 reviews may focus on the practical application of these controls during the audit period.
Converting ISO Evidence into SOC 2 Proof
Step 1: Define the Audit Period
SOC 2 Type II reviews focus on a specific period (e.g. the last 6 – 12 months). Evidence from outside this window may not be considered. Clarifying the audit period early may help SMEs organise ISO artefacts for potential reuse.
Step 2: Build a Control – Evidence Index
Some teams document a mapping table linking SOC 2 Common Criteria (CC) to ISO/IEC 27001:2022 evidence. For example:
|
SOC 2 CC |
Example Evidence |
ISO/IEC 27001:2022 Origin |
|
CC6.1 (Logical and Physical Access Controls) |
Access review logs |
A.5.15 (Access control) |
|
CC7.4 (Incident Response) |
Incident register |
A.5.24 (Information security incident management planning and preparation) |
|
CC8.1 (Change Management) |
Change tickets |
A.8.32 (Change management) |
This table may serve as a reference for organising artefacts and identifying potential evidence gaps.
Step 3: Standardise Evidence Naming
Clear, consistent filenames may reduce ambiguity and simplify evidence review. Examples:
- User_Access_Review_Q2_2025.xlsx
- Incident_Register_2025.pdf
- Vendor_Risk_Assessment_Register.xlsx
A consistent naming approach may assist reviewers in locating artefacts; impact on follow-up questions will depend on auditor judgment.
Cost Considerations for SMEs
For many SMEs, preparing for SOC 2 after implementing ISO/IEC 27001:2022 can vary widely in effort and resources.
- Without mapping ISO evidence to SOC 2, the process may require more extensive consultancy support, internal coordination, and additional documentation.
- With evidence mapping and reuse, internal effort may be lower; however, final audit fees are determined by the complexity of the environment and the rates of the engaged CPA firm.
Potential reasons mapping may, in some cases, reduce preparatory effort include:
- Fewer gaps in evidence that auditors need to review
- More efficient audit review, helping to complete the engagement with fewer rounds of follow-up
- Lower reliance on external support
- Less duplicate documentation or rework
Starting with ISO 27001 may provide a framework that can assist SMEs in organising SOC 2 preparation and better leverage existing controls and records.
Practical Recommendation for Lean Teams
For SMEs and startups exploring ways to structure compliance efforts, the following approaches may help identify potential overlaps and improve alignment between ISO/IEC 27001:2022 and SOC 2 compliance evidence:
- Organisations that have implemented ISO/IEC 27001:2022 practices thoroughly often have a stronger foundation across multiple frameworks.
- Maintain evidence that is clear, complete, and timestamped. Well-organised artefacts improve traceability and reduce review time.
- Map Annex A controls to SOC 2 Common Criteria (CC series) where applicable. This highlights overlapping coverage and identifies potential gaps.
- Reuse logs, registers, and other artefacts where relevant. Leveraging existing evidence can save time and reduce redundant work.
- Consider adding controls only where SOC 2 guidance may call for more depth. Focused additions may be considered to address potential gaps while keeping the ISMS manageable.
These steps may be considered as a reference to structure compliance-related documentation and planning; results may differ by organisation.
TL;DR – ISO to SOC 2 for SMEs
- ISO/IEC 27001:2022 frequently overlaps with many SOC 2 Security controls, providing a starting point for SMEs.
- Common areas noted during SOC 2 reviews often include population completeness, continuity, and presentation of evidence.
- SOC 2 Common Criteria (CC series) serve as a practical bridge between the frameworks.
- Operational logs and records are frequently considered alongside written policies in reviews.
- Thoughtful mapping of ISO evidence to SOC 2 may be considered as a reference to potentially reduce review effort and help organise evidence; actual review effort and audit outcomes depend on auditor judgment.
Next Step: Browse ISO 27001 templates intended to support structured process documentation and internal evidence organisation.
Next Article: In AI and Information Security: Practical Controls for Startups, we explore how SMEs can manage AI as a traceable asset, linking ISO 27001 practices to training, inference, logging, and third-party AI services.
Related Guides
Explore these ISO 27001 resources to help your SME build a practical, lean ISMS:
Start Here: Complete Guide
- ISO 27001 for SMEs and Startups: The Chill Implementation Guide (2026 Edition) – Full roadmap covering all clauses and Annex A controls, with practical steps, examples, and guidance.
Scaling and The Future of Compliance – Detailed Guides by Topic
- AI and Information Security: Practical Controls for Startups – Guidance on managing AI as a traceable operational asset, linking ISO 27001 practices to model training, inference, logging, and third-party AI services.
- The ISO 27001 Surveillance Audit: Maintain Your ISMS in Year 2 and Beyond – Practical guidance for SMEs on keeping an ISMS active through Year 2 and 3 audits, reviews, and change management.
- ISO 27001 for GDPR and CCPA: Informational Overview for SMEs and Startups (2026 Edition) – Practical guidance on using ISO 27001 to support privacy frameworks, mapping Annex A controls to GDPR and CCPA considerations.
- Exploring the Hybrid ISO 27001 Compliance Stack (2026) – A conceptual guide to how startups combine governance, cloud-native tools, and people for structured evidence management.
Please Note: This article provides general information only and does not constitute legal, regulatory, or compliance advice. Using our products or following this guidance cannot guarantee certification, improved business outcomes, or regulatory compliance. Organisations remain responsible for ensuring all actions meet certification and compliance requirements.
Please also note that all pricing, budget, or cost estimates provided are subject to change and should be independently verified by the user.