SOC 2
Can You Reuse SOC 2 for ISO 27001? Evidence and Gaps
3 July 2026 · Updated 3 July 2026
Short answer: You can reuse most SOC 2 control evidence for ISO 27001, because both frameworks expect the same core controls and the AICPA publishes an official mapping between them. What does not carry across is the management system. ISO 27001 clauses 4 to 10 require governance, risk treatment and internal audit that SOC 2 never tests, so a SOC 2 report alone does not make you certifiable.
Teams that already hold a SOC 2 often ask whether the work stacks toward ISO 27001, or whether they are starting again. The honest answer is somewhere between. The controls overlap heavily, so the evidence travels well, but the two frameworks are built differently. This sets out what reuses cleanly, what does not, and which direction saves the most effort.
How much SOC 2 evidence can you reuse for ISO 27001?
Most of the control evidence, and often more than teams expect. Both frameworks expect access control, change management, risk assessment, vendor management, monitoring, incident response and backups. The American Institute of Certified Public Accountants (AICPA) publishes an official mapping of the 2017 Trust Services Criteria (TSC) to ISO 27001, which confirms the control intent lines up across most of the two.
That means the artefacts a SOC 2 examination already produced, access reviews, change tickets, logging output, incident records, vendor assessments, are the same artefacts an ISO 27001 auditor asks to see. You do not rebuild them, you re-present them against the Annex A controls. The saving is real, and it lives in the evidence layer where most of the grind is.
What does SOC 2 not cover that ISO 27001 needs?
The wrapper around the controls. ISO 27001 runs inside an Information Security Management System (ISMS), and clauses 4 to 10 carry requirements SOC 2 never touches: organisational context, leadership commitment, a documented risk treatment plan, a Statement of Applicability (SoA), internal audit and management review. SOC 2 tests the controls you commit to against the Trust Services categories you choose, and stops there.
So a SOC 2 first organisation carrying strong control evidence still has genuine work to reach certification. The controls are evidenced, but the governance system that ISO 27001 certifies does not exist yet. This is the gap that catches teams who assume a clean SOC 2 report is most of the way to a certificate. It is most of the way on controls, and none of the way on the management system.
Does SOC 2 or ISO 27001 reuse save more effort?
ISO 27001 to SOC 2, comfortably. A certified ISMS forces you to document, operate and audit controls across the whole scope, so that evidence carries straight into a SOC 2 examination with little rework. Build the management system once, report against it twice.
The reverse is weaker. Going from SOC 2 to ISO 27001, the control evidence reuses, but the clause 4 to 10 system has to be stood up from scratch. Neither path is wasted effort, but if you can choose the order and expect to need both, ISO 27001 first is usually the more efficient sequence.
| Dimension | Reusing SOC 2 for ISO 27001 | Reusing ISO 27001 for SOC 2 |
|---|---|---|
| Control evidence | Reuses well; same core controls | Reuses well; ISMS evidence is broad and audited |
| Management system | Missing; clauses 4 to 10 must be built | Already in place; drives the evidence |
| Risk treatment and SoA | Not produced by SOC 2 | Produced by the ISMS |
| Internal audit and review | Not required by SOC 2 | Required and running |
| Net effort saved | Moderate; evidence layer only | High; controls and governance already operating |
| Better starting point | Weaker | Stronger |
How do you plan the SOC 2 to ISO 27001 crossover in practice?
Start from the mapping, not the report. Take the AICPA mapping of the Trust Services Criteria to ISO 27001, line your SOC 2 evidence against the Annex A controls it satisfies, and mark the residue. What is left is the clause 4 to 10 management system and any Annex A control your chosen SOC 2 categories never reached. That residue is your real ISO 27001 project.
For the standard itself, start with the ISO 27001 guide, what ISO 27001:2022 is and the full comparison of ISO 27001 and SOC 2. The ISO 27001 readiness checklist and the ISO 27001 stage 1 vs stage 2 audit guide are useful once you are ready to certify. Cybernion runs ISO 27001 readiness and SOC 2 readiness for Australian organisations, including crossover planning where you already hold one.
Frequently asked questions
Can a SOC 2 report replace ISO 27001 certification?
No. A SOC 2 report shows controls operating, but it does not provide the clause 4 to 10 management system ISO 27001 requires. Buyers ask for the specific one they want, and the certificate is not the report.
How much SOC 2 evidence can I reuse for ISO 27001?
Most of the control evidence carries across, because both frameworks expect access control, change management, monitoring, incident response and vendor management. The American Institute of Certified Public Accountants (AICPA) publishes an official mapping of the Trust Services Criteria (TSC) to ISO 27001, which confirms the overlap is substantial.
What does SOC 2 not cover that ISO 27001 needs?
The management system wrapper. ISO 27001 clauses 4 to 10 require context, leadership, a risk treatment plan, a Statement of Applicability (SoA), internal audit and management review. SOC 2 tests controls against chosen categories and has no equivalent requirement.
Is it easier to go SOC 2 first or ISO 27001 first?
If you already run a certified Information Security Management System (ISMS), a SOC 2 examination is lighter because the management system has forced you to document, operate and audit controls. The reverse is weaker, since SOC 2 alone leaves real ISMS work ahead.
Does SOC 2 or ISO 27001 reuse save more effort?
Yes. Evidence reuse is strongest going from ISO 27001 to SOC 2, because the ISMS produces broad, audited evidence. Going the other way, a SOC 2 first organisation still has to build and run the management system before certification.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, Information security management systems, iso.org, 2022
- AICPA, 2017 Trust Services Criteria (with Revised Points of Focus, 2022), TSP section 100, aicpa-cima.com, 2022
- AICPA, Mapping of the 2017 Trust Services Criteria to ISO 27001, aicpa-cima.com, accessed July 2026
- AICPA, SOC suite of services, aicpa-cima.com, accessed July 2026
Last updated: 3 July, 2026