ISO 27001 vs SOC 2
| ISO 27001 | SOC 2 | |
|---|---|---|
| Body | International (ISO/IEC) | American (AICPA) |
| Audience | EU, APAC, increasingly North America | North America, US-centric |
| Structure | ISMS (process) + Annex A (93 controls) | Trust Service Criteria (5 categories, ~60 controls) |
| Certification | Multi-year (3-year cert with annual surveillance audits) | Annual (Type II is a 6-12 month observation window per audit) |
| Customer demand | Required by EU enterprise, APAC government | Required by North American enterprise SaaS buyers |
| Overlap with SOC 2 | ~70% — most controls map directly | Reverse: SOC 2 covers most ISO domains |
The 4 themes (Annex A 2022)
Theme A.5 — Organizational controls (37 controls)
Policy framework, roles, supplier management, incident management. Codex auto-evidences:- A.5.7 Threat intelligence — feed from CrowdStrike/SentinelOne/Wiz
- A.5.10 Acceptable use — link to your published AUP + training completion
- A.5.16 Identity management — IdP user provisioning logs
- A.5.18 Access rights — per-app role assignments from IdP
- A.5.23 Cloud services info security — AWS/GCP/Azure security baseline configs
- A.5.24-27 Incident management — ticketing system events with timestamps and resolutions
Theme A.6 — People controls (8 controls)
HR security: screening, terms of employment, training, disciplinary process. Codex auto-evidences:- A.6.1 Screening — background check completion from BambooHR/Rippling/Gusto HRIS connector
- A.6.3 Information security awareness — LMS training completion records
- A.6.5 Responsibilities after termination — HRIS termination → IdP deactivation diff (proves access removal SLA)
Theme A.7 — Physical controls (14 controls)
Facility security, equipment, removable media. Mostly relevant if you have offices/datacenters; SaaS-only companies often scope these out. Codex auto-evidences:- A.7.1-2 Physical security perimeter + entry — badge system logs (where integrated)
- A.7.7 Clear desk/clear screen — MDM screen lock policy + idle timeout enforcement
Theme A.8 — Technological controls (34 controls)
The biggest auto-evidence opportunity. Network, endpoint, cryptography, application security, logging. Codex auto-evidences (heavy auto-fill area):| Control | Evidence |
|---|---|
| A.8.1 User endpoint devices | MDM device inventory with compliance state |
| A.8.2 Privileged access rights | Admin role assignments across IdP, cloud, code, SaaS |
| A.8.3 Information access restriction | Per-app access control configs + DLP rules |
| A.8.5 Secure authentication | IdP MFA enforcement, password policy, SSO coverage |
| A.8.6 Capacity management | Cloud-monitor metrics (CPU, memory, disk, request volume) |
| A.8.7 Protection against malware | EDR coverage from CrowdStrike/SentinelOne |
| A.8.8 Vulnerability management | Snyk/Wiz/Dependabot findings + remediation timelines |
| A.8.9 Configuration management | Cloud config drift from baseline (AWS Config, GCP Asset Inventory) |
| A.8.10 Information deletion | Backup retention configs + deletion logs |
| A.8.11 Data masking | DLP rules from Workspace/M365 |
| A.8.12 Data leakage prevention | DLP rule violations + remediation |
| A.8.13 Backup | Backup snapshot history + restore test logs |
| A.8.15 Logging | SIEM event collection coverage |
| A.8.16 Monitoring activities | Alert rules + on-call ticket history |
| A.8.20-23 Network controls | Cloud VPC config, security groups, WAF rules |
| A.8.24 Cryptographic controls | TLS coverage report + at-rest encryption status |
| A.8.25-29 Secure development lifecycle | GitHub branch protection, PR review, security scanning, secret-detection |
| A.8.30 Outsourced development | Same as A.8.29 if you use contract devs in your codebase |
| A.8.31 Separation of dev/test/prod | Cloud account/project separation |
Statement of Applicability (SoA)
ISO 27001 requires you to publish a Statement of Applicability documenting which Annex A controls apply, why, and how they’re implemented. Codex generates a draft SoA from your evidence:- Controls auto-evidenced → marked “applicable + implemented” with evidence source
- Controls assigned to humans → marked “applicable + implemented” with link to evidence repo
- Controls you’ve explicitly excluded → marked “not applicable” with required justification
Setup order
Same as SOC 2 — start with IdP, then MDM, then code host, then ticketing, then cloud. You’ll cover ~75% of A.5 + A.6 + A.8 in the first month.When you’re ready for the auditor
Reports → ISO 27001 evidence package outputs:- Statement of Applicability (current state)
- Per-control evidence snapshots
- Risk treatment plan + risk register (you import these from your existing risk-mgmt process)
- Internal audit findings + management review minutes