ISO 27001 and SOC 2 answer the same buyer question, can we trust you with our data, in two different languages. ISO 27001 is an international standard you certify against, with a certificate from an accredited body. SOC 2 is a report a licensed CPA firm writes against the AICPA Trust Services Criteria. Which you need depends on who is asking.
What is the difference between ISO 27001 and SOC 2?
One is a certification, the other is a report. ISO 27001 is an international standard. An accredited certification body audits your information security management system and, if it holds up, issues a certificate on a three year cycle. SOC 2 is not a standard you pass. A licensed CPA firm examines your controls against the AICPA Trust Services Criteria and writes an opinion on them. No certificate changes hands, and there is no pass mark. SSAE 18 is the attestation standard the auditor works under; SOC 2 is what they produce.
The other split is geography. ISO 27001 is global, published by ISO and IEC. SOC 2 is American, run by the AICPA. One certifies a system you built. The other reports on how it actually ran.
Which one does your organisation need?
The buyer decides, not you. Look at who is asking. United States customers, especially SaaS buyers and their procurement teams, ask for SOC 2 by default. European, Asian and Australian tender processes ask for ISO 27001. If you sell into both markets, you will eventually be asked for both. For the standard itself, start with what ISO 27001:2022 is and the complete guide to ISO 27001.
Australian government work is a separate track again. Selling cloud or SaaS to government means an IRAP assessment against the Information Security Manual, not either of these. Pick the framework your pipeline is already asking for. Building the one no customer has requested is effort spent in the wrong place. The certificate that wins a deal is the one the buyer named in the questionnaire.
Where do ISO 27001 and SOC 2 overlap?
Heavily on the controls, not at all on the structure. Both expect access control, change management, risk assessment, vendor management, monitoring, incident response and backups. The AICPA publishes an official mapping of the Trust Services Criteria to ISO 27001, and the control overlap is substantial.
What does not overlap is the wrapper. ISO 27001 sits inside a management system: clauses 4 to 10 require context, leadership, a risk treatment plan, a Statement of Applicability, internal audit and management review, on top of the 93 Annex A controls. SOC 2 has no equivalent management system requirement. It tests the controls you commit to, against the categories you choose. Security, the common criteria, is mandatory in every SOC 2; Availability, Processing Integrity, Confidentiality and Privacy are added only where you make commitments in those areas. Same controls, different paperwork around them.
Can you reuse the work across both?
Yes, mostly in one direction. If you already run a certified ISMS, most of your control evidence carries straight into a SOC 2 examination, because the management system has forced you to document, operate and audit those controls already. The reverse is weaker. A SOC 2 report shows controls working but does not, on its own, give you the clause 4 to 10 management system ISO 27001 requires, so a SOC 2 first organisation still has real ISMS work ahead of it. Build the management system once. Report against it twice.
How long does each take, and what drives the cost?
ISO 27001 certification typically runs 6 to 12 months from a standing start, because the ISMS has to operate before the Stage 2 audit can test it; see how long ISO 27001 certification takes. SOC 2 splits into two report types. A Type I report covers control design at a point in time and can be reached faster. A Type II report observes the controls operating over a window, commonly 3 to 12 months, so the calendar, not the effort, sets the floor.
On cost, neither framework has a published list price and both scale with the size of what is in scope. ISO 27001 cost is driven by scope, the people in the ISMS, and the accredited body’s audit fees across the three year cycle; this is covered in what drives the cost. SOC 2 cost is the CPA firm’s examination fee plus the readiness work to get controls evidenced. Cybernion provides ISO 27001 readiness and SOC 2 readiness for Australian organisations.
| Dimension | ISO 27001 | SOC 2 |
|---|---|---|
| What it is | International standard (ISO/IEC 27001:2022) | AICPA attestation report against the Trust Services Criteria |
| The deliverable | Certificate from an accredited body | Auditor’s report and opinion from a licensed CPA firm |
| Governing body | ISO and IEC | AICPA (United States) |
| Scope basis | Fixed standard: clauses 4 to 10 plus 93 Annex A controls | Trust Services Criteria; Security mandatory, four categories optional |
| Time basis | Three year cycle with annual surveillance audits | Type I point in time; Type II over a period (commonly 3 to 12 months) |
| Who tends to ask | European, Asian and Australian tenders | United States customers and SaaS buyers |
| Typical timeline | 6 to 12 months to certification | Type I faster; Type II set by the observation window |
| Renewal | Recertification every three years | Typically annual |
Frequently asked questions
No. SOC 2 is an attestation report written by a licensed CPA firm against the AICPA Trust Services Criteria. There is no certificate and no pass mark, unlike ISO 27001, which an accredited body certifies.
Only if your customers ask for both. United States buyers tend to ask for SOC 2; European, Asian and Australian tenders tend to ask for ISO 27001. If you sell into both markets you will likely need both eventually.
They are different shapes of effort. ISO 27001 adds a full management system, clauses 4 to 10, on top of the controls. SOC 2 focuses on the controls themselves against the categories you commit to. An ISMS usually carries more documentation overhead.
No. They overlap heavily on controls and evidence can be reused, but a SOC 2 report does not provide the ISO management system, and an ISO certificate is not a SOC 2 report. Buyers ask for the specific one they want.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, Information security management systems, 2022
- ISO/IEC 27002:2022, Information security controls, 2022
- AICPA, 2017 Trust Services Criteria (with Revised Points of Focus, 2022), TSP section 100, 2022
- AICPA, SOC 2 reporting guidance (SSAE No. 18), accessed June 2026
- AICPA, Mapping of the 2017 Trust Services Criteria to ISO 27001, accessed June 2026
Last updated: 21 June, 2026