How It Works Pricing Blog Start Free Trial

How does a US SaaS company add ISO 27001 to existing SOC 2?

March 6, 20262 min readBeyond SOC 2

What You Already Have from SOC 2

ISO 27001 Requirement	SOC 2 Source	Status
Access controls (A.9)	CC6.1-6.8 evidence	Done
Change management (A.14)	CC8.1 evidence	Done
Incident management (A.16)	CC7.3-7.5 evidence	Done
Cryptographic controls (A.10)	CC6.7 evidence	Done
Operations security (A.12)	CC7.1-7.2 evidence	Done
Human resource security (A.7)	CC1.4 evidence	Done
Supplier relationships (A.15)	CC9.1-9.2 evidence	Done
Risk assessment (Clause 6.1)	CC3.1-3.4 risk assessment	Needs reformatting

What You Need to Create

1. ISMS Documentation (2-3 weeks)

The Information Security Management System document formalizes your security program:

ISMS scope and boundaries
Information security objectives
Roles and responsibilities for ISMS governance
Process for continual improvement
Management commitment statement

2. Statement of Applicability (1 week)

A document listing all 114 Annex A controls with:

Whether each control is applicable to your organization
Justification for including or excluding each control
Reference to your implementation evidence

3. Risk Assessment in ISO Format (1 week)

Your SOC 2 risk assessment covers the content, but ISO 27001 expects:

Asset-based risk identification
Risk treatment plan
Residual risk acceptance by management
Risk register

4. Internal Audit (1-2 weeks)

ISO 27001 requires an internal audit before certification:

Self-assessment against Annex A controls
Documentation of findings
Corrective action plans for any gaps

5. Management Review (1 day)

Formal meeting with leadership covering:

ISMS performance
Internal audit results
Risk assessment updates
Improvement opportunities
Documented minutes

Timeline

Phase	Duration
ISMS documentation	2-3 weeks
Statement of Applicability	1 week
Risk assessment reformatting	1 week
Internal audit	1-2 weeks
Management review	1 day
Certification body engagement	1-2 weeks
Stage 1 audit (documentation review)	1-2 days
Stage 2 audit (implementation review)	2-3 days
Total	2-4 months

Cost

Item	Cost
Certification body (initial certification)	$15K-$30K
Consultant (if needed, for ISMS setup)	$5K-$10K
Annual surveillance audits (Year 2, 3)	$5K-$10K each
Re-certification (Year 4)	$10K-$20K

Related Questions

How do fintech companies handle SOC 2 plus PCI DSS evidence?

Fintech companies handle dual SOC 2 and PCI DSS compliance by building a shared control foundation (access controls, encryption, change management) and adding PCI-specific requirements on top — cardholder data environment scoping, network segmentation, vulnerability scanning, and PCI-specific encryption standards.

How do I add HIPAA to my existing SOC 2 program?

Adding HIPAA to an existing SOC 2 program takes 1-2 months. Your SOC 2 controls already cover most HIPAA Security Rule requirements. The main additions are a Business Associate Agreement template, PHI data mapping, breach notification procedures, and privacy-specific controls for patient data handling.

How do I automate evidence collection across multiple frameworks?

Automate cross-framework evidence collection by collecting evidence once and mapping it to multiple frameworks. A single MFA screenshot satisfies SOC 2 CC6.1, ISO 27001 A.9.4, and HIPAA §164.312(d). Use tools that support multi-framework mapping to avoid collecting the same evidence multiple times.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →