SOC 2 to ISO 27001: What Carries Over and What Doesn't

You’ve put in the work and achieved SOC 2. Now, a customer has asked about ISO 27001. Does that mean starting from scratch or can some of your SOC 2 work help on the way to ISO 27001?

The good news is that SOC 2 and ISO 27001 share similar overall goals and have many overlapping controls. The main difference is that ISO 27001 is more prescriptive, requiring more systems, policies, and procedures. So if you’re implementing ISO 27001 alongside your SOC 2, you’ll spend a lot of time on documentation as well as controls. 

In this guide, I’ll walk you through the commonalities and variances between SOC 2 and ISO 27001, covering what maps over between the frameworks and where the differences lie. 

Can I Reuse My SOC 2 Work?

The technical controls and most of the evidence transfer between the two frameworks are fairly clean. SOC 2 is built around the Trust Services Criteria, whereas ISO 27001 uses clauses. However, both focus on similar core areas like security, availability, and risk management, 

The overlap between the controls is fairly significant. But there’s no one-size-fits all answer on exactly how many controls because every company that pursues SOC 2 is subject to a specific set of criteria. 

Where the two frameworks differ significantly is the management system ISO 27001 wraps around those controls.

A SOC 2 report is an attestation of how your controls are designed (Type I) and how they operate over a period of time (Type II). ISO 27001 focuses on the system behind those controls, covering how they’re chosen, maintained, reviewed, and improved through an ISMS (Information Security Management System).

The ISO 27001 certification verified that the ISMS is in place.

When I think about the transition from SOC 2 Type II to ISO 27001, I generally break it down into three buckets: 

• Carries over as-is: Some of the technical controls for SOC 2 translate directly into ISO 27001 without any additional work. 
• Needs annotation: Many of your existing policies, procedures and decisions will need to be wrapped up into an ISMS. ‍
• Net-new: Management-system artifacts ISO 27001 mandates that have no SOC 2 equivalent.

What Carries Over From SOC 2 As-Is

If you've operated SOC 2 Type 2 for a year, you've already produced a lot of what an ISO 27001 auditor wants to see at the control layer.

The 2022 revision of ISO 27001 organizes its 93 Annex A controls into four themes: organizational, people, physical, and technological. A mature SOC 2 program can cover a large portion of them. 

But the SOC 2 to ISO 27001 mapping isn’t always 1:1. ISO 27001 goes deeper into policy depth, risk management, and governance through the ISMS. 

The evidence will generally transfer across clearly as auditors don't focus on which framework evidence like a pen test was originally collected for, they just care that it's relevant, current, and tied to the required controls.

So while SOC 2 gets you a good portion of the way there with controls and evidence, there’s work to be done on the system that governs it (more on that next). 

What Carries Over But Needs an ISMS Wrapper

The policies you put in place for SOC 2 will mostly translate over to ISO 27001 but they usually need to be formalised, linked to risk, and brought under ISMS control. It’s not a case of throwing out your SOC 2 policies and starting over, it’s more taking what you already have covering topics like access control, change management, incident response, and vendor management) and plugging it into the ISMS. 

For each operational policy you already have, you typically need to:

• Reference how it fits with ISMS scope.
• Link it to the relevant risks in the risk register.
• Implement a review cadence tied to the ISMS calendar.
• Implement document control (version tracking, approval, traceability) 
• Assign clear ownership.

There are also some areas with ISO 27001 requiring you to go deeper including asset inventory and information classification. Assets need to be identified, owned, and classified, and that classification needs to drive how data is handled across the business. Most mature SOC 2 companies have made these decisions already, they just may not be written down in an ISMS-friendly way.

When it comes to writing policies, they don’t need to be long. What matters is that they’re appropriate to your risks, formally managed, and actually followed in practice.

What's Generally Net-New for ISO 27001

There are a handful of artifacts in ISO 27001 that tend to be net-new or significantly more formalised compared to SOC 2. This is where most of the project work sits when you make the transition. 

The artifacts that tend to be net-new include: 

1. Defined ISMS scope: A scoping doc that says exactly what's in and what's out.
2. Risk assessment methodology: How you score risks, written down before you run the assessment.
3. Statement of Applicability (SoA): For each of the 93 Annex A controls: in or out, and why.
4. Internal audit program: An independent dress rehearsal before the certification body shows up.
5. Management review: A formal meeting where leadership reviews the ISMS — at least once a year.
6. Top-level Information Security Policy: A short policy approved by your CEO, CTO, or vCISO that sets direction

ISO 27001 Timeline and Costs (Starting with SOC 2 in Place)

If you already have SOC 2 and are looking at adding ISO 27001, the workload is incremental. It's not like starting your SOC 2 from scratch again.

For a company with mature SOC 2 controls and evidence, you can typically achieve ISO 27001 in ~3-6 months. The timeline will depend on the scope, internal resource, and audit timelines. You may be able to aim at the quicker end of that timeline if your team has experience with ISO 27001 or you're working with an external partner who can lead the process.

Larger companies or more complex implementations may take longer, sometimes up to 9-12 months. 

Breaking Down the Costs

To achieve ISO 27001, you’ll need to consider the following costs: 

• Audit: An ISO 27001 audit can cost anywhere from ~$7k–$15k+ at the smaller end of the scale. Larger organizations could run $30k+.
• Implementation support: You'll likely need to add ~$1k–$5k for tooling, and if you work with an external consulting firm to help with implementation and audit prep feels could run $15k–$40k+ depending on scope and organization size.
• Internal time: An internal project lead may need to spend ~20–30% of their time leading the project (potentially less if you work with an external consulting firm). Plus, meaningful involvement from leadership will be needed (especially for management review), and cross-functional input for risk, policy, and audit activities.

Cost overruns on these projects rarely come from audit fees or tools. It’s generally from the work that goes into documentation, implementing controls, and internal project management. 

A few ways you can streamline costs across your transition from SOC 2 to SOC 2 + ISO 27001 include:

• Working with an auditor with experience across both SOC 2 and ISO 27001.
• If possible, you can try to time your ISO 27001 audit to overlap with or immediately follow your SOC 2 Type II observation window. 
• Run an internal audit as early as possible so you can surface gaps before submitting your documentation and evidence to an auditor. 
• Use the same tooling (e.g. Vanta) across both frameworks. 

The Path From SOC 2 to ISO 27001

There’s real overlap between SOC 2 and ISO 27001. If you already have SOC 2 and have plans to expand your sales beyond North America (where SOC 2 is seen as the gold standard), ISO 27001 is likely to be a worthwhile investment. 

If you have SOC 2 Type 2, the technical controls and the evidence behind them are largely done. What you're building for ISO 27001 is the management system around them. 

Our AI-powered GRC practice runs SOC 2 and ISO 27001 programs. If you want to map your existing SOC 2 work against ISO 27001 and see where the real gaps are, talk to our team.