How much overlap is there between SOC 2 and ISO 27001?

Approximately 60 to 80 percent of controls overlap depending on the SOC 2 Trust Services Criteria in scope. Organizations with all five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) will see closer to 80 percent overlap. Those with only the Security criterion will see closer to 60 percent.

What does ISO 27001 require that SOC 2 does not?

ISO 27001 requires a formal Information Security Management System (ISMS) with a documented risk assessment methodology, a Statement of Applicability, mandatory management reviews, a formal internal audit program, and continuous improvement processes. SOC 2 focuses on control effectiveness without requiring these management system elements.

How long does it take to extend SOC 2 to ISO 27001?

For organizations with a mature SOC 2 Type II program, the gap analysis and implementation typically takes 3 to 6 months, with the certification audit adding another 1 to 2 months. Total timeline is usually 4 to 8 months from the decision to pursue ISO 27001 to certification.

Can we use the same auditor for SOC 2 and ISO 27001?

Not the same firm for both at the same time due to independence requirements, but some audit firms are qualified to perform both types of assessments. Your SOC 2 CPA firm likely cannot also serve as your ISO 27001 certification body. You will need an accredited certification body for ISO 27001.

Is it cheaper to get ISO 27001 if we already have SOC 2?

Yes, significantly. Organizations with mature SOC 2 programs typically spend 40 to 60 percent less on ISO 27001 implementation compared to starting from scratch, because the majority of technical controls are already in place. The primary investment is in building the ISMS management system layer.

CoreMulti-Framework & Cross-Compliance

Extending SOC 2 to ISO 27001: A Practical Guide

How to leverage your existing SOC 2 compliance program to achieve ISO 27001 certification with minimal incremental effort by mapping control overlap and addressing the gaps.

Agency Team

April 6, 2026·12 min read

If your organization already holds a SOC 2 Type II report, you are closer to ISO 27001 certification than you might think. The two frameworks share 60 to 80 percent of their control requirements, which means the path from SOC 2 to ISO 27001 is not about rebuilding your security program -- it is about formalizing the management system around it and filling a defined set of gaps. Here is how we guide clients through that extension.

The most common multi-framework path we see for B2B software companies is SOC 2 first, then ISO 27001. This sequence makes sense because SOC 2 is typically the first framework North American companies pursue, and the controls implemented for SOC 2 create a strong foundation for ISO 27001. However, the extension is not automatic. ISO 27001 requires elements that SOC 2 simply does not address, and understanding those gaps before you begin is the difference between a smooth certification and a frustrating one.

For a detailed comparison of when to pursue each framework first, see our guide on SOC 2 vs ISO 27001.

Understanding the Control Overlap

Where SOC 2 and ISO 27001 Align

The Security Trust Services Criterion in SOC 2 maps substantially to ISO 27001 Annex A controls. Here is how the major control domains align:

Control Domain	SOC 2 Coverage	ISO 27001 Coverage	Overlap Level
Access control	CC6.1-CC6.8	A.5.15-A.5.18, A.8.2-A.8.5	High
Change management	CC8.1	A.8.32	High
Risk assessment	CC3.1-CC3.4	Clause 6.1, A.5.7	Moderate
Incident response	CC7.3-CC7.5	A.5.24-A.5.28	High
Logical and physical security	CC6.4-CC6.6	A.7.1-A.7.14, A.8.1	High
System monitoring	CC7.1-CC7.2	A.8.15-A.8.16	High
Vendor management	CC9.2	A.5.19-A.5.23	Moderate
Data encryption	CC6.1, CC6.7	A.8.24	High
HR security	CC1.4	A.6.1-A.6.8	Moderate
Business continuity	A1.1-A1.3 (if in scope)	A.5.29-A.5.30	Moderate
Privacy	P1-P8 (if in scope)	A.5.34	Moderate

Where They Diverge

The critical distinction is that SOC 2 evaluates whether controls are designed and operating effectively. ISO 27001 evaluates that too, but it also requires a management system -- the framework of processes, documentation, and governance that ensures controls remain effective over time. This is not a subtle difference.

SOC 2 asks: "Is this control working?" ISO 27001 asks: "Is this control working, is it part of a managed system, and is there a process to ensure it continues working?"

What ISO 27001 Requires Beyond SOC 2

1. Formal Information Security Management System (ISMS)

The ISMS is the most significant gap for SOC 2-only organizations. It encompasses Clauses 4 through 10 of ISO 27001 and includes:

Context of the organization (Clause 4). You must document:

Internal and external issues relevant to information security
Interested parties (stakeholders) and their requirements
The scope of the ISMS, including boundaries and applicability

Leadership and commitment (Clause 5). Requirements include:

An information security policy signed by top management
Defined information security roles, responsibilities, and authorities
Evidence of management commitment beyond policy approval

Planning (Clause 6). This includes:

A formal risk assessment process (see below)
Information security objectives that are measurable and monitored
Plans for achieving those objectives with assigned resources and timelines

Support (Clause 7). Requirements for:

Adequate resources for the ISMS
Competence requirements and evidence of personnel competence
Security awareness program
Communication planning (internal and external)
Documented information management (document control)

Operation (Clause 8). Evidence that:

Planned processes are implemented and controlled
Risk assessments are performed at planned intervals
Risk treatment plans are implemented

Performance evaluation (Clause 9). Requirements for:

Monitoring, measurement, analysis, and evaluation
Internal audit program (see below)
Management review at planned intervals

Improvement (Clause 10). Evidence of:

Corrective action for nonconformities
Continual improvement of the ISMS

Most SOC 2 organizations perform elements of these activities informally. The gap is typically in the formalization, documentation, and systematic execution of these management system processes.

2. Risk Assessment Methodology

SOC 2 requires risk assessment as part of CC3.1-CC3.4, but ISO 27001 demands a significantly more rigorous and documented approach:

Aspect	SOC 2 Expectation	ISO 27001 Requirement
Methodology	Flexible; no prescribed method	Documented methodology defining criteria for risk acceptance, assessment approach, and ensuring consistent, valid, comparable results
Scope	Focus on risks to achieving Trust Services Criteria	Comprehensive identification of risks to confidentiality, integrity, and availability of all information assets in scope
Risk owners	Not explicitly required	Every identified risk must have an assigned risk owner
Treatment options	Implicitly addressed through controls	Formal risk treatment plan with explicit decisions (mitigate, accept, transfer, avoid) for each risk
Documentation	Risk assessment referenced but format flexible	Risk register, risk treatment plan, and risk acceptance documentation required
Frequency	At least annual	At planned intervals and when significant changes occur

In our experience, the risk assessment methodology is the area where SOC 2 organizations invest the most time during the ISO 27001 extension. Getting this right is essential because the risk assessment drives the Statement of Applicability, which drives the audit.

3. Statement of Applicability (SoA)

The Statement of Applicability is a document unique to ISO 27001 that has no SOC 2 equivalent. It lists all Annex A controls (93 controls in the 2022 version) and for each one documents:

Whether the control is applicable or not applicable (with justification for exclusions)
The implementation status
A reference to the implementing policy, procedure, or evidence

The SoA is the central artifact that certification body auditors use to plan their assessment. It must be comprehensive, accurate, and aligned with your risk assessment results. Building the SoA is largely a documentation exercise if your controls are already implemented through SOC 2, but it requires careful mapping and gap identification.

4. Management Reviews

ISO 27001 Clause 9.3 requires management reviews at planned intervals (typically annually or semi-annually). These are formal meetings with documented inputs and outputs where top management evaluates the ISMS performance and makes decisions about:

The need for changes to the ISMS
Resource allocation
Opportunities for improvement

Required inputs include internal audit results, risk assessment updates, incident trends, metric performance, and feedback from interested parties. Required outputs include decisions and actions related to continual improvement, resource needs, and any changes to the ISMS.

SOC 2 does not require formal management reviews with this level of structure and documentation.

5. Internal Audit Program

While SOC 2 involves external assessment, ISO 27001 requires an internal audit program that the organization manages itself. This includes:

An audit program covering the full ISMS scope over each certification cycle
Auditor independence (auditors cannot audit their own work)
Documented audit plans, findings, and corrective actions
Follow-up verification of corrective action effectiveness

For detailed guidance on building this capability, see our ISO 27001 internal audit best practices guide.

6. Document Control

ISO 27001 requires formal document control processes that many SOC 2 organizations handle informally:

Version control and change history for all ISMS documents
Review and approval processes with defined authorities
Distribution and access controls for documented information
Retention and disposal procedures

The Extension Roadmap

Phase 1: Gap Analysis (Weeks 1-4)

Map your existing SOC 2 controls to ISO 27001 Annex A and identify gaps. The deliverable is a gap assessment that categorizes each Annex A control as:

Fully addressed by existing SOC 2 controls (typically 60-70% of controls)
Partially addressed with minor enhancements needed (typically 15-20%)
Not addressed requiring new implementation (typically 10-20%)

Also assess gaps in the management system requirements (Clauses 4-10), which is where the bulk of new work typically resides.

Phase 2: ISMS Foundation (Weeks 5-10)

Build the management system elements that SOC 2 does not require:

Define ISMS scope and context. Document the boundaries of your ISMS, internal and external issues, and interested party requirements.
Formalize risk assessment methodology. Create a documented methodology, conduct the risk assessment, and build the risk register. If you have an existing risk assessment from SOC 2, enhance it to meet ISO 27001 requirements.
Create the Statement of Applicability. Map every Annex A control to your existing controls, document applicability decisions, and identify implementation gaps.
Establish document control. Implement version control, review cycles, and approval processes for all ISMS documentation.
Build the internal audit program. Define the audit program, train or hire auditors, and create audit procedures.
Design the management review process. Define the agenda template, input requirements, and output documentation for management reviews.

Phase 3: Gap Remediation (Weeks 8-16)

Address the control gaps identified in Phase 1. Common gaps for SOC 2 organizations include:

Asset management (A.5.9-A.5.14). SOC 2 addresses asset inventory implicitly, but ISO 27001 requires formal asset identification, ownership, acceptable use policies, and return of assets procedures.
Physical security (A.7.1-A.7.14). If your SOC 2 scope did not include physical security in depth (common for cloud-native companies), you may need to formalize controls around secure areas, equipment security, and clear desk/clear screen policies.
Supplier management (A.5.19-A.5.23). ISO 27001 requires a more structured approach to supplier information security, including supplier agreements, supply chain management, and monitoring of supplier services.
Cryptographic controls (A.8.24). While SOC 2 addresses encryption, ISO 27001 may require a formal cryptographic policy defining approved algorithms, key management procedures, and key lifecycle management.
Compliance (A.5.31-A.5.36). ISO 27001 requires documented identification of legal, regulatory, and contractual requirements, along with privacy and intellectual property protection controls.

Phase 4: Pre-Certification Activities (Weeks 14-20)

Conduct the internal audit. Perform a full internal audit covering the entire ISMS scope. This is a mandatory prerequisite for certification.
Hold the management review. Conduct at least one management review with documented inputs and outputs.
Address findings. Resolve any nonconformities identified during the internal audit before the certification audit.
Select a certification body. Choose an accredited certification body. Ensure they are accredited by a recognized accreditation body (such as UKAS, ANAB, or equivalent).
Prepare evidence. Organize your evidence repository to align with the Annex A structure and management system clauses.

Phase 5: Certification Audit (Weeks 20-24)

The ISO 27001 certification audit occurs in two stages:

Stage 1 (documentation review). The auditor reviews your ISMS documentation, Statement of Applicability, risk assessment, and management system processes. This is typically 1-2 days and may be conducted remotely. The auditor identifies any areas of concern before Stage 2.

Stage 2 (implementation audit). The auditor verifies that your ISMS is implemented and operating effectively. This involves interviews, evidence review, and observation across all ISMS areas. Duration depends on organization size but typically ranges from 3 to 8 days.

Cost and Effort Comparison

Organizations extending from SOC 2 to ISO 27001 see significantly reduced costs compared to starting from scratch:

Cost Category	Starting from Scratch	Extending from SOC 2	Savings
Implementation consulting	Higher	Significantly lower	50-60%
Internal effort (FTE months)	4-8 months	2-4 months	50%
GRC platform (if not already in use)	Varies	Already in use (no additional cost)	100%
Certification audit fees	Varies	Same cost	0%
Ongoing maintenance (annual)	Higher	Significantly lower	35-50%
Total first-year cost	Higher	Significantly lower	45-55%

The certification audit fees do not change regardless of whether you are extending from SOC 2, but every other cost category is significantly reduced because you are building on an existing foundation.

For a detailed breakdown of ISO 27001 certification costs, see our ISO 27001 certification cost guide.

Strategic Value of Dual Compliance

Market Expansion

SOC 2 is the dominant framework in North American enterprise sales. ISO 27001 is the dominant framework everywhere else. Holding both certifications eliminates geographic limitations on your sales pipeline and reduces friction in international procurement processes.

Questionnaire Reduction

Organizations with both SOC 2 and ISO 27001 report significant reductions in time spent on vendor security assessments. Many enterprise questionnaires accept either certification as evidence, and having both means you can satisfy virtually any procurement team's preferred framework.

Regulatory Alignment

ISO 27001 maps closely to GDPR requirements, making it particularly valuable for companies expanding into European markets. The combination of SOC 2 (for US customers) and ISO 27001 (for international customers and regulatory alignment) creates a comprehensive trust posture.

Competitive Advantage

While SOC 2 is increasingly common among B2B SaaS companies, dual SOC 2 and ISO 27001 certification remains a differentiator. It signals a level of security maturity and investment that sets you apart in competitive evaluations.

Stronger Security Posture

The management system requirements of ISO 27001 -- risk assessment, internal audit, management review, continuous improvement -- create governance structures that genuinely improve security over time. In our experience, organizations that add ISO 27001 to their SOC 2 program consistently report that the ISMS framework made their overall security program more effective, not just more certified.

Common Pitfalls When Extending

Underestimating the management system effort. The technical control overlap is high, but the management system is new territory. Budget adequate time and resources for Clauses 4-10.

Treating ISO 27001 as a documentation exercise. While documentation is a significant component, certification body auditors will test implementation. Ensure your processes are genuinely operating, not just documented.

Selecting the wrong certification body. Not all certification bodies are equally rigorous or equally recognized. Choose one with a strong reputation and recognition in your target markets.

Rushing the risk assessment. A superficial risk assessment will create problems throughout the certification process. The SoA, the control selection, and the audit plan all derive from the risk assessment. Invest the time to do it properly.

Neglecting to maintain SOC 2 while pursuing ISO 27001. Running dual compliance programs requires coordination. Ensure your SOC 2 audit cycle continues uninterrupted while you pursue ISO 27001 certification. Use shared controls and evidence wherever possible to minimize duplicated effort.

For broader guidance on managing multiple frameworks simultaneously, see our multi-framework compliance strategy guide.

Conclusion

Extending SOC 2 to ISO 27001 is one of the highest-value compliance investments a B2B software company can make. The 60 to 80 percent control overlap means the incremental cost is modest relative to the strategic value. The key is understanding that the gap is not primarily about implementing new technical controls -- it is about building the management system discipline that ISO 27001 demands. Organizations that approach the extension with this understanding consistently achieve certification within the expected timeline and budget, and they come out the other side with a genuinely stronger security program.

Frequently Asked Questions

Agency Team

Agency Insights

Expert guidance on cybersecurity compliance from Agency's advisory team.

Extending SOC 2 to ISO 27001: A Practical Guide