Map AICPA SOC 2 Trust Services Criteria to ISO/IEC 27001:2022 Annex A controls to enable organizations pursuing both attestations to create unified control documentation and audit packages.
AICPA Trust Services Criteria (CC1-CC9) mapped to ISO 27001:2022 Annex A. Applicable to technology companies and cloud service providers who require both SOC 2 Type II attestation and ISO 27001 certification.
SOC 2 and ISO 27001 address substantially the same security control domains — both cover access control, change management, risk assessment, incident response, monitoring, and vendor management. The documentation formats differ significantly: SOC 2 requires point-in-time evidence for the attestation period; ISO 27001 requires evidence of a functioning ISMS with documented continual improvement.
| SOC 2 | ISO 27001 | |
|---|---|---|
| SOC 2 CC6 (Logical & Physical Access) | ↔ | ISO 27001 A.5.15-A.5.18, A.7 |
| SOC 2 CC7 (System Operations) | ↔ | ISO 27001 A.8.16, A.8.17 |
| SOC 2 CC8 (Change Management) | ↔ | ISO 27001 A.8.32 |
| SOC 2 CC9 (Risk Mitigation) | ↔ | ISO 27001 Clauses 6.1, A.5.19-A.5.23 |
Selected high-overlap control mappings. Full crosswalk documentation available on request.
| SOC 2 Control | ISO 27001 Control | |
|---|---|---|
CC1.1 COSO Principle 1 — Ethics | → | ISO 27001 A.5.1, A.6.2 |
CC6.1 Logical Access Controls | → | ISO 27001 A.5.15, A.5.16, A.8.2 |
CC6.2 New Access Registration | → | ISO 27001 A.5.16, A.5.18 |
CC6.3 Role-Based Access | → | ISO 27001 A.5.15, A.8.2 |
CC7.1 Vulnerability Detection | → | ISO 27001 A.8.8 |
CC7.2 Anomaly Detection | → | ISO 27001 A.8.16 |
CC8.1 Change Management | → | ISO 27001 A.8.32 |
CC9.2 Third-Party Risk | → | ISO 27001 A.5.19-A.5.23 |