Free SOC 2 readiness assessment that scores your ISO 27001 controls. Find out how much additional work SOC 2 adds to your ISO 27001 programme in one pass.
ISO 27001 is an internationally recognised certification issued by an accredited body after a formal audit of your Information Security Management System. SOC 2 is a US-originated assurance report, produced by a licensed CPA firm, that evaluates your controls against the AICPA Trust Service Criteria. For UK mid-market businesses, ISO 27001 is typically required by domestic enterprise customers and public sector contracts, while SOC 2 Type II is increasingly demanded by US-based customers or investors. Many organisations pursue both through an integrated programme because there is substantial overlap between the two frameworks, and the marginal cost of achieving the second certification once the first is in place is considerably lower than pursuing them independently.
For an organisation starting from a low base, achieving ISO 27001 certification typically takes nine to fifteen months from the start of a gap assessment to passing the Stage 2 audit. SOC 2 Type II requires an observation period of at least six months during which controls must be operating consistently, so an integrated ISO 27001 SOC 2 programme running in parallel typically takes twelve to eighteen months end to end. Organisations with existing mature security practices, documented policies and evidence of controls can compress this significantly. The most common cause of delay is the time required to gather twelve months of operating evidence for SOC 2, which cannot be accelerated.
The overlap is substantial. ISO 27001 Annex A controls in the domains of access control, cryptography, operations security, incident management and supplier relationships map directly to SOC 2 Common Criteria CC6, CC7, CC8 and CC9. An organisation that has implemented Annex A controls with supporting evidence will satisfy the majority of SOC 2 Common Criteria requirements, and vice versa. The main areas unique to SOC 2 are the additional Trust Service Criteria for Availability, Confidentiality, Processing Integrity and Privacy, which require supplementary controls beyond the Annex A baseline.
A SOC 2 Type I report assesses whether your controls are suitably designed at a single point in time. A SOC 2 Type II report assesses whether those controls have been operating effectively over a defined period, typically six to twelve months. Enterprise customers and sophisticated procurement teams almost universally require Type II because it provides evidence that controls are actually working consistently, not merely documented. A Type I can be a useful interim milestone to demonstrate progress, but organisations should plan for Type II as the end objective.
Certification costs vary significantly depending on the size and complexity of the organisation. Typical expenditure includes external gap assessment and implementation consultancy, internal staff time, technology investments to close control gaps, and certification body fees for Stage 1 and Stage 2 audits plus annual surveillance audits. Consultancy and audit fees alone commonly range from thirty thousand to one hundred thousand pounds for an initial certification programme. The largest cost driver is usually the internal resource required to gather evidence, remediate gaps and manage the programme, which is frequently underestimated.
No. ISO 27001 requires you to evaluate all Annex A controls and document your rationale for any you choose to exclude in a Statement of Applicability. Controls are excluded where they are genuinely not applicable to your organisation's context or where the risk they address does not exist within your defined scope. However, certification bodies and customers scrutinise exclusions closely, and excluding controls without a clear and defensible rationale is a common source of non-conformities at audit. Excluding controls to reduce implementation effort rather than because they are genuinely inapplicable is a strategy that rarely survives a Stage 2 audit.
SOC 2 auditors use a sampling approach across the audit period, typically requesting evidence for a selection of individual transactions, access reviews, change records, vulnerability scan reports, incident records, patch logs, training completion records and vendor assessments. The key requirement is that the evidence must relate to the actual audit period and must demonstrate consistent operation of controls, not a one-off effort. Organisations that implement controls specifically for the audit rather than as genuine operational practice consistently struggle to produce sufficient evidence across a twelve-month observation window.
Yes, but it requires careful planning. ISO 27001 does not prescribe a minimum headcount or an in-house CISO. What it requires is that someone has clear accountability for the ISMS, that processes are documented and followed consistently, and that leadership is engaged. Many mid-market businesses use a fractional CISO or external consultancy to lead the programme and write the documentation, with internal operational staff responsible for executing the day-to-day controls. The critical success factor is that security responsibilities are genuinely embedded in operational roles rather than treated as a paper exercise.
A Stage 2 audit does not produce a simple pass or fail result. Auditors identify major non-conformities, minor non-conformities and observations. Major non-conformities must be remediated and verified before certification is granted, and the certification body will either schedule a further on-site visit or request documented evidence of remediation. Minor non-conformities must be remediated within a defined period, typically ninety days, and are reviewed at the first surveillance audit. Certification is withheld until all major non-conformities are resolved, but organisations are not required to repeat the full audit from scratch unless the issues are fundamental.
ISO 27001 certification is valid for three years, subject to annual surveillance audits. Surveillance audits are shorter than the initial certification audit, typically taking one to two days depending on the size of the organisation, and focus on whether the ISMS is being maintained, whether non-conformities from the previous audit have been addressed and whether there have been significant changes to scope or risk. A recertification audit at the end of the three-year cycle is more comprehensive. Organisations that treat certification as a one-time project rather than an ongoing programme consistently struggle at surveillance audits.