ISO 27001 and SOC 2: Theory

Is there overlap?

There is a LOT of overlap between what you’d typically see in a SOC 2 control framework compared to what ISO 27001 mandates in the clauses and recommends in Annex A. The overlap exists in the Information Security controls and control activities, however the two standards are fundamentally different.


Control Framework v Management System

SOC 2 is a control framework, whereas ISO 27001 is an Information Security Management System. Essentially all that means is that for SOC 2 reports you have somewhere between 80-160 controls that map across the Trust Services Criteria. For the most part, you can get away with purely implementing them one at a time as completely separate activities. 


For ISO 27001, you are not just implementing controls, you are designing, implementing and maintaining a management system, with activities and functions that must all work as a well-oiled machine. (For further information - link to “Understanding the ISO 27001 Cycle”.


For example:

ID: ETC02

Control: The defined company objectives include a mix of strategic, financial and operational level objectives to guide functional areas and teams on how they support the company objectives and identify risks that threaten achievement of the objectives.

SOC 2 Mapping: CC2.2, CC3.1

ISO 27001 Mapping: Clause 6.2


If this control were to fail for SOC 2, you would have an exception listed against CC2.2 and CC3.1, but it is unlikely to affect the opinion of the report beyond that exception being listed. If this control were to fail for ISO 27001, as it is part of a well-oiled machine, it can impact an organisation’s compliance against the standard in relation to its risk function, its management reviews and so on, potentially leading to a major non-conformity. 


The key takeaway

SOC 2 is a control framework made up of mostly independent controls, ISO 27001 is a management system with interrelated functions, if one area fails, the rest can too!