ISO 27001 vs SOC 2
If you sell internationally, you need both. Codex maintains the mapping so evidence collected for SOC 2 also satisfies the equivalent ISO 27001 control. No duplicate work.
The 4 themes (Annex A 2022)
Theme A.5 — Organizational controls (37 controls)
Policy framework, roles, supplier management, incident management. Codex auto-evidences:- A.5.7 Threat intelligence — feed from CrowdStrike/SentinelOne/Wiz
- A.5.10 Acceptable use — link to your published AUP + training completion
- A.5.16 Identity management — IdP user provisioning logs
- A.5.18 Access rights — per-app role assignments from IdP
- A.5.23 Cloud services info security — AWS/GCP/Azure security baseline configs
- A.5.24-27 Incident management — ticketing system events with timestamps and resolutions
Theme A.6 — People controls (8 controls)
HR security: screening, terms of employment, training, disciplinary process. Codex auto-evidences:- A.6.1 Screening — background check completion from BambooHR/Rippling/Gusto HRIS connector
- A.6.3 Information security awareness — LMS training completion records
- A.6.5 Responsibilities after termination — HRIS termination → IdP deactivation diff (proves access removal SLA)
Theme A.7 — Physical controls (14 controls)
Facility security, equipment, removable media. Mostly relevant if you have offices/datacenters; SaaS-only companies often scope these out. Codex auto-evidences:- A.7.1-2 Physical security perimeter + entry — badge system logs (where integrated)
- A.7.7 Clear desk/clear screen — MDM screen lock policy + idle timeout enforcement
Theme A.8 — Technological controls (34 controls)
The biggest auto-evidence opportunity. Network, endpoint, cryptography, application security, logging. Codex auto-evidences (heavy auto-fill area):Statement of Applicability (SoA)
ISO 27001 requires you to publish a Statement of Applicability documenting which Annex A controls apply, why, and how they’re implemented. Codex generates a draft SoA from your evidence:- Controls auto-evidenced → marked “applicable + implemented” with evidence source
- Controls assigned to humans → marked “applicable + implemented” with link to evidence repo
- Controls you’ve explicitly excluded → marked “not applicable” with required justification
Setup order
Same as SOC 2 — start with IdP, then MDM, then code host, then ticketing, then cloud. You’ll cover ~75% of A.5 + A.6 + A.8 in the first month.When you’re ready for the auditor
Reports → ISO 27001 evidence package outputs:- Statement of Applicability (current state)
- Per-control evidence snapshots
- Risk treatment plan + risk register (you import these from your existing risk-mgmt process)
- Internal audit findings + management review minutes