SideGuy · Compliance clarity · reviewed 2026-06-09

SOC 2 → ISO 27001 crosswalk: how the controls map (and where they don't)

Have one, want the other? The good news: SOC 2 and ISO 27001 overlap roughly 80% at the control level, so a mature program feeds both. This is the practical crosswalk — which TSC maps to which Annex A theme, and the pieces that don't carry over.

The operator's bottom line: Having done both, the honest answer is they overlap roughly 80% at the control level, so one evidence program feeds both audits. Going SOC 2 → ISO 27001, the only real net-new work is two gaps: the ISMS (the management system in ISO clauses 4–10 — risk treatment, Statement of Applicability, internal audits, management review) and Processing Integrity, which has no clean 1:1 in Annex A. Going ISO 27001 → SOC 2 is easier, because your ISMS already produces most of the evidence a SOC 2 auditor wants — so if you only chase one first, get ISO and reuse it.

Side-by-side

DimensionSOC 2 (TSC)ISO 27001 (Annex A)
Security / Common Criteria (CC)CC1–CC9 (control environment, comms, risk, monitoring, logical & physical access, change, ops)Maps broadly across Organizational + Technological themes (access control, ops security, change mgmt)
AvailabilityA1 series (capacity, backup, recovery)ICT continuity readiness, backup, redundancy controls (Technological)
ConfidentialityC1 series (identify & protect confidential info)Information classification, handling, data masking, DLP (Organizational + Technological)
Processing IntegrityPI1 series (complete, valid, accurate processing)No direct 1:1 — partially covered by ops + change controls; often the biggest gap
PrivacyP1–P8 (notice, choice, collection, retention, disposal)Partially overlaps; ISO 27701 (privacy extension) is the closer fit for full privacy
The management systemNot required by SOC 2ISO requires a full ISMS (clauses 4–10) — the piece SOC 2 doesn't have
The honest verdict.
The ~80% overlap is real, but mind the two gaps going SOC 2 → ISO 27001: (1) the ISMS — ISO requires a documented management system (risk treatment, Statement of Applicability, internal audits, management review) that SOC 2 doesn't, and (2) Processing Integrity has no clean ISO equivalent. Going the other way (ISO → SOC 2) is usually easier because the ISMS already produces most of the evidence SOC 2 wants.

Which one do you actually need?

Pick SOC 2 (TSC) if…

You hold SOC 2 and want ISO 27001 next — use this to reuse your control evidence, then budget specifically for building the ISMS (the main net-new work).

Pick ISO 27001 (Annex A) if…

You hold ISO 27001 and want SOC 2 — you're in good shape; your Annex A controls + ISMS evidence cover most Trust Services Criteria. Add SOC 2-specific scoping and the auditor's evidence format.

Questions operators actually ask

How much do SOC 2 and ISO 27001 actually overlap?

Roughly 80% at the control level. The security criteria and most operational controls map closely, which is why a single evidence program can feed both. The remaining ~20% is the ISMS (ISO-only) and a few criteria like Processing Integrity that lack a clean 1:1.

What does SOC 2 have that ISO 27001 doesn't?

Processing Integrity and a robust Privacy category (P-series) are SOC 2 strengths without a clean Annex A equivalent — for full privacy, ISO points you to its 27701 extension.

What does ISO 27001 require that SOC 2 doesn't?

A formal ISMS — the management system in clauses 4–10: risk assessment and treatment, the Statement of Applicability, internal audits, and management reviews. SOC 2 attests to controls but doesn't require this management layer.

Which direction is easier?

ISO → SOC 2 is usually easier: the ISMS already generates the documented evidence SOC 2 auditors want. SOC 2 → ISO requires building the management system on top of controls you mostly already have.

Not sure which fits your stage? No meeting required — text the question and get an operator-honest answer.
See the Compliance department →

Related compliance comparisons

Written by PJ Zonis · SideGuy Solutions · operator-honest, vendor-neutral · Compliance hub

💬 Text PJ