ISO 27001 ↔ SOC 2 Control Mapping¶

Document ID: XREF-001 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Last updated: March 2026 Next review: March 2027

Purpose¶

This document maps ISO 27001:2022 Annex A controls to SOC 2 Trust Services Criteria. It enables auditors and management to see how a single control satisfies requirements across both frameworks, reducing duplication and simplifying compliance.

How to Read This Mapping¶

ISO 27001 Ref — Annex A control reference
SOC 2 Ref — Trust Services Criteria reference
Shared Policy/Procedure — The single document that addresses both
Evidence — Where audit evidence can be found

Mapping Table¶

ISO 27001	ISO 27001 Control	SOC 2	SOC 2 Criteria	Shared Document	Evidence Location
5.1	Policies for information security	CC1.1	Commitment to integrity	Information Security Policy	Signed policy
5.2	Roles & responsibilities	CC1.3	Authority and responsibility	Information Security Policy	RACI in policy
5.3	Segregation of duties	CC5.1	Control activities for risk mitigation	Access Control Policy	RBAC configs
5.7	Threat intelligence	CC3.2	Risk identification	Risk Register	Azure Defender alerts
5.9	Asset inventory	CC6.1	Logical access	Asset Register	Asset register
5.10	Acceptable use	CC1.4	Competence commitment	Acceptable Use Policy	Signed acknowledgements
5.12	Classification	C1.1	Confidentiality identification	Data Classification Policy	Classification labels
5.15	Access control	CC6.1	Logical access controls	Access Control Policy	Access review records
5.16	Identity management	CC6.1, CC6.2	User registration	Access Control Policy	Azure AD; MFA configs
5.19	Supplier security	CC9.2	Vendor risk assessment	Supplier Register	DPAs; cert copies
5.23	Cloud security	CC6.1, CC6.5	Logical access; external threats	Access Control Policy	Azure Security Center
5.24	Incident planning	CC7.3	Security event evaluation	Incident Response Plan	IRP document
5.25	Event assessment	CC7.3	Security event evaluation	Incident Response Plan	Alert configs
5.26	Incident response	CC7.4	Incident response	Incident Response Plan	Incident records
5.27	Learning from incidents	CC7.5	Incident recovery	Corrective Action Procedure	Review records
5.29	Business continuity	A1.2	Environmental protection	Business Continuity Plan	BCP; test records
5.31	Legal & regulatory requirements	CC2.2	Communication obligations	Legal & Regulatory Register	Legal register; DPAs
5.32	Intellectual property	CC2.2	Communication obligations	Legal & Regulatory Register	License records
5.33	Record protection	CC1.4	Competence commitment	Document Control Procedure	Retention configs
5.34	Privacy & PII	P1.1	Privacy notice	Information Security Policy	Privacy policy
5.36	Compliance	CC4.1	Monitoring activities	Internal Audit Procedure	Audit reports
6.1	Background checks	CC1.4	Competence commitment	HR Security Procedure	Check records
6.3	Security training	CC1.4	Competence commitment	HR Security Procedure	Training records
6.4	Disciplinary process	CC1.5	Accountability	HR Security Procedure	Employment contracts
6.5	Post-termination	CC6.3	Access removal	HR Security Procedure	Offboarding records
6.8	Event reporting	CC7.3	Security event evaluation	Incident Response Plan	Reporting channel
7.8	Equipment protection	CC6.4	Physical access	Acceptable Use Policy	Encryption verification
7.9	Off-premises assets	CC6.4	Physical access	Acceptable Use Policy	Encryption verification
8.2	Privileged access	CC6.1	Logical access controls	Access Control Policy	RBAC role assignments (PIM planned Q3 2026)
8.5	Authentication	CC6.1	Logical access controls	Access Control Policy	MFA configs
8.6	Capacity management	A1.1	Availability commitments	Business Continuity Plan	Azure auto-scale
8.7	Malware protection	CC6.8	Malware prevention	Acceptable Use Policy	Defender reports
8.8	Vulnerability management	CC7.1	Vulnerability detection	Change Management Policy	Scan reports
8.9	Configuration management	CC8.1	Change management	Change Management Policy	IaC configs
8.10	Information deletion	P4.3, C1.2	Data retention; disposal	Data Classification Policy	Deletion records
8.12	Data leakage prevention	C1.2	Confidentiality disposal	Data Classification Policy	DLP configs
8.15	Logging	CC7.2	System monitoring	Management Review Procedure	Log Analytics
8.16	Monitoring	CC7.2	System monitoring	Management Review Procedure	Security Center
8.20	Network security	CC6.5, CC6.6	External threats; network security	Cryptography Policy	NSG rules
8.24	Cryptography	CC6.1, CC6.7	Logical access; data transmission	Cryptography Policy	Encryption configs
8.25	Secure SDLC	CC8.1	Change management	Change Management Policy	PR history
8.29	Security testing	CC8.1	Change management	Change Management Policy	Pentest reports
8.32	Change management	CC8.1	Change management	Change Management Policy	Change log
8.34	Audit protection	CC4.1	Monitoring activities	Internal Audit Procedure	Audit trail config
9.2	Internal audit	CC4.1	Monitoring activities	Internal Audit Procedure	Audit reports
9.3	Management review	CC1.2, CC4.2	Oversight; deficiency communication	Management Review Procedure	Review minutes
10.2	Corrective action	CC4.2	Deficiency communication	Corrective Action Procedure	CA log

Summary Statistics¶

Metric	Count
ISO 27001 controls mapped	40
SOC 2 criteria covered	33
Shared documents used	14
Controls requiring separate documentation	0