Crosswalk Library/SOC 2 ↔ ISO 27001
ELDR Institute · Governance Crosswalk

Map AICPA SOC 2 Trust Services Criteria to ISO/IEC 27001:2022 Annex A controls to enable organizations pursuing both attestations to create unified control documentation and audit packages.

Scope & Applicability

AICPA Trust Services Criteria (CC1-CC9) mapped to ISO 27001:2022 Annex A. Applicable to technology companies and cloud service providers who require both SOC 2 Type II attestation and ISO 27001 certification.

Crosswalk Overview

SOC 2 and ISO 27001 address substantially the same security control domains — both cover access control, change management, risk assessment, incident response, monitoring, and vendor management. The documentation formats differ significantly: SOC 2 requires point-in-time evidence for the attestation period; ISO 27001 requires evidence of a functioning ISMS with documented continual improvement.

Areas of Overlap
SOC 2 ISO 27001
SOC 2 CC6 (Logical & Physical Access)ISO 27001 A.5.15-A.5.18, A.7
SOC 2 CC7 (System Operations)ISO 27001 A.8.16, A.8.17
SOC 2 CC8 (Change Management)ISO 27001 A.8.32
SOC 2 CC9 (Risk Mitigation)ISO 27001 Clauses 6.1, A.5.19-A.5.23
Key Differences
Attestation vs. Certification
SOC 2 produces an attestation report by a licensed CPA firm. ISO 27001 produces a certification by an accredited certification body. Only ISO 27001 is internationally recognized as a certification.
Time Period
SOC 2 Type II covers a defined period (typically 12 months) — evidence must exist throughout. ISO 27001 has no equivalent period constraint.
Scope Definition
SOC 2 scope is defined by service commitments. ISO 27001 scope is defined by the ISMS boundary (Clause 4.3). The scopes may differ materially.
Management Assertion
SOC 2 requires management's written assertion about control effectiveness. ISO 27001 requires management review minutes.
Privacy Criteria
SOC 2 Privacy criteria (P series) address personal information handling. ISO 27001 addresses privacy through policy but lacks equivalent privacy criteria.
Evidence Requirements
SOC 2 Evidence
System Description
Management Assertion
Control environment evidence (CC1-CC9)
Testing evidence throughout the attestation period
Exception documentation
ISO 27001 Evidence
ISMS Scope Document
Statement of Applicability
Risk Assessment and Treatment Plan
Management Review Minutes
Internal Audit Report
Corrective Action Records
Control Mapping Table

Selected high-overlap control mappings. Full crosswalk documentation available on request.

SOC 2 Control ISO 27001 Control
CC1.1 COSO Principle 1 — Ethics
ISO 27001 A.5.1, A.6.2
CC6.1 Logical Access Controls
ISO 27001 A.5.15, A.5.16, A.8.2
CC6.2 New Access Registration
ISO 27001 A.5.16, A.5.18
CC6.3 Role-Based Access
ISO 27001 A.5.15, A.8.2
CC7.1 Vulnerability Detection
ISO 27001 A.8.8
CC7.2 Anomaly Detection
ISO 27001 A.8.16
CC8.1 Change Management
ISO 27001 A.8.32
CC9.2 Third-Party Risk
ISO 27001 A.5.19-A.5.23
Related Institute Research
ELDR Advisory

Multi-framework programs
require unified documentation.

Request an Engagement Discussion

Full Crosswalk Library →