ISO 27001 vs SOC 2: Evidence Requirements Compared
While SOC 2 focuses on technical system controls, ISO 27001 requires evidence of a functioning Information Security Management System (ISMS). This guide explains the exact documentation and screenshots auditors expect for both frameworks and how automation bridges the gap.
ISO 27001 and SOC 2 audits both require proof that your security controls actually work, but they ask for that proof in fundamentally different ways. SOC 2 auditors want to see system configurations, access logs, and application screenshots proving specific Trust Services Criteria are met. ISO 27001 auditors want documentation proving you have a functioning Information Security Management System (ISMS) governing those controls.
While many teams try to reuse their SOC 2 evidence for ISO 27001 certification, they quickly realize that API-based checks alone do not satisfy ISMS requirements. Automating evidence collection across both frameworks requires capturing both the technical system state and the management processes behind it.
What is the Fundamental Difference Between ISO 27001 and SOC 2 Evidence?
SOC 2 evidence proves a technical control is operating effectively at a specific point or period in time. ISO 27001 evidence proves you have a management process that identifies risks, implements controls, and continuously improves over time.
If we look at access control as an example, the difference in auditor expectations becomes obvious.
For SOC 2 (CC6.1), the auditor wants a screenshot of your AWS IAM dashboard showing that MFA is enforced, plus a sample of user access reviews. They care about the technical reality of the system.
For ISO 27001 (A.5.15), the auditor wants the Access Control Policy document, the risk assessment that justified the policy, the management review minutes approving it, and then the technical screenshot showing it is enforced.
You can pass a SOC 2 audit by having secure systems. You will fail an ISO 27001 certification if your systems are secure but your management documentation is missing.
How Do ISO 27001 Annex A and SOC 2 Controls Overlap?
Despite the difference in management philosophy, the actual technical evidence you collect for SOC 2 maps heavily to the ISO 27001 Annex A controls. If you capture the right artifacts, you can satisfy both frameworks with a single piece of evidence.
| Control Area | SOC 2 Criteria | ISO 27001:2022 Annex A | Shared Evidence Acceptable |
|---|---|---|---|
| Logical Access | CC6.1, CC6.2 | A.5.15, A.5.16, A.5.18 | Screenshots of IdP settings, MFA enforcement toggles, RBAC matrices, and user access review logs. |
| Change Management | CC8.1 | A.8.32 | Pull request approvals, CI/CD pipeline deployment logs, and Jira ticket workflows showing testing before release. |
| Vulnerability Management | CC7.1 | A.8.8 | Penetration test reports, automated vulnerability scan results, and remediation tracking tickets. |
| Vendor Management | CC9.2 | A.5.19, A.5.21 | Vendor security questionnaires, SOC 2 reports collected from third parties, and vendor risk matrices. |
| Incident Response | CC7.3, CC7.4 | A.5.24, A.5.26 | Incident response plans, post-mortem reports, and tabletop exercise documentation. |
Can You Reuse SOC 2 Screenshots for an ISO 27001 Certification?
Yes. The technical proof is identical. When you capture a screenshot of your GitHub branch protection rules to satisfy SOC 2 CC8.1, that exact same screenshot works for ISO 27001 A.8.32 (Change Management).
The catch is the Statement of Applicability (SoA). ISO 27001 requires you to explicitly state which Annex A controls apply to your organization and which do not, justified by a formal risk assessment. If you hand an ISO auditor a folder of SOC 2 screenshots without mapping them to your SoA and risk treatment plan, they will reject the submission. The technical evidence must be contextualized within the ISMS.
In practice, maintaining two separate evidence libraries is a mistake. It leads to version control issues and massive audit fatigue. Instead, structure your evidence around your actual business systems rather than control IDs. A single PDF evidence pack showing a new developer's onboarding flow can be tagged to both CC6.2 and A.5.18. When the auditor asks for proof, you export the system-based evidence pack and provide the mapping document.
What ISO 27001 Evidence Cannot Be Automated with GRC Tools?
Where traditional compliance automation stops is the boundary between APIs and human processes. GRC platforms like Drata and Vanta are excellent at pinging AWS to verify encryption at rest or checking GitHub for branch protections.
But ISO 27001 relies heavily on management processes that do not live in APIs. Traditional tools struggle to automate:
- Management Review Minutes: The formal meetings where leadership reviews ISMS performance and resource allocation.
- Risk Assessment Methodologies: The actual scoring, evaluation, and treatment decisions for asset risks.
- Internal Audit Results: The independent checks of your own ISMS before the Stage 2 external audit occurs.
- Application-Level UI Controls: Custom admin panels, internal HR tools, or legacy systems that lack public APIs but still require access control validation.
For these areas, teams usually fall back to manual screenshot collection and spreadsheet tracking. This is why relying purely on API integrations leaves a massive evidence gap for ISO 27001 compared to SOC 2. You need tools capable of workflow recording and UI-level capture to document these manual management steps and custom applications.
By deploying AI agents that can record application workflows and capture visual evidence, you can bridge the gap between technical system configurations and the ISMS documentation that ISO 27001 auditors expect.
How Do Audit Lifecycles Differ Between SOC 2 and ISO 27001?
The audit cadence shapes everything about evidence collection. SOC 2 Type II runs a single observation period — typically 6 to 12 months — and produces a point-in-time report. ISO 27001 runs a three-year certification cycle: a Stage 1 readiness audit, a Stage 2 certification audit, two annual surveillance audits, and a recertification audit at year three.
That structural difference changes how evidence is captured. SOC 2 evidence is bursty: you collect 6–12 months of operating evidence, hand it to the auditor, get the report, and move on. ISO 27001 evidence is continuous: every Annex A control needs a defensible audit trail at any moment a surveillance auditor calls. If your access review for Q2 happened but no one minuted the management review that approved the findings, you fail your surveillance audit even though the technical control was operating.
In practice this means an ISO-ready evidence library is always one screenshot, one signed minute, and one risk-treatment update away from being audit-ready. A SOC 2-only library can afford gaps between audit windows. Treating ISO 27001 like a once-a-year SOC 2 sprint is the most common reason teams fail recertification.
What Are the Required ISMS Documents That SOC 2 Does Not Demand?
SOC 2 has no concept of an Information Security Management System. ISO 27001 puts it at the center of the audit. The standard names mandatory documents — and your evidence library must produce each on demand:
- Scope of the ISMS (Clause 4.3) — a statement of which products, locations, employees, and information assets are covered.
- Information Security Policy (Clause 5.2) — top-management-approved, with version history.
- Risk Assessment Methodology (Clause 6.1.2) — the procedure you use to identify, analyze, and evaluate risks. SOC 2 has nothing equivalent.
- Risk Treatment Plan (Clause 6.1.3) — the documented decisions for accepting, transferring, mitigating, or avoiding each identified risk.
- Statement of Applicability (SoA) (Clause 6.1.3.d) — a list of all 93 Annex A controls in ISO/IEC 27001:2022, marked applicable or not, with justification.
- Information Security Objectives (Clause 6.2) — measurable, time-bound goals for the ISMS.
- Internal Audit Programme and Results (Clause 9.2).
- Management Review Records (Clause 9.3) — minuted reviews of ISMS performance.
- Nonconformity and Corrective Action Records (Clause 10.1).
For a SOC 2-only team, the SoA is usually the steepest hill. Mapping every Annex A control with a written justification — and tying each one to either a specific evidence artifact or a documented exclusion — typically takes 40 to 80 hours of skilled compliance work the first time. Automating this requires a system that knows which controls are technically enforceable from your stack and which require human management process artifacts.
How Do Sample Sizes and Operating Effectiveness Tests Differ?
SOC 2 Type II evidence typically follows AICPA sampling guidance: control frequency dictates how many samples an auditor inspects.
| Control Frequency | AICPA Suggested Sample Size |
|---|---|
| Annual | 1 |
| Quarterly | 2 |
| Monthly | 2–4 |
| Weekly | 5–9 |
| Daily / Recurring | 25–40 |
ISO 27001 surveillance auditors do not work from a fixed sample table. They take a risk-based approach: they ask for the evidence they think is most likely to surface a nonconformity given your sector, last year's findings, and recent incidents. Two implications follow.
First, ISO evidence libraries must be retrievable by date and control, not just by SOC 2 sampling window. If the auditor asks for "all access reviews completed in February 2026 for systems classified as confidential," you need to produce that exact slice — not a 25-sample bucket selected for SOC 2.
Second, the artifacts themselves must include richer metadata. ISO auditors expect to see who performed the action, who reviewed it, when it was reviewed, and what risk treatment it supports. SOC 2 will accept a screenshot showing MFA enforced. ISO 27001 expects the same screenshot plus a link to the access control policy version that mandated it, the risk it mitigates per your risk register, and the management review that approved the policy.
What Is the Pen Test and Vulnerability Evidence Difference?
Both standards require evidence of vulnerability management, but the bar is different.
For SOC 2 (CC7.1), an auditor wants to see your scanning cadence (e.g., weekly Snyk reports, monthly external scans), a recent penetration test report, and tickets showing remediation tracking.
For ISO 27001 (A.8.8 — Management of technical vulnerabilities), the same artifacts feed in, but the auditor also evaluates whether your vulnerability management procedure aligns with your risk treatment plan, whether retest evidence proves remediation, and whether residual risk is documented in management review minutes. A SOC 2 audit can pass with "we ran a pen test and fixed the criticals." An ISO audit asks "show me the policy that defines remediation SLAs by severity, evidence that the SLAs were met, and the review where leadership accepted residual risk for the items still open."
Can a Single Evidence Pack Satisfy Both Audits?
Yes, but only if the pack carries dual mapping metadata. A signed evidence pack that meets both standards typically contains:
- The technical artifact (screenshot, configuration export, log excerpt) with cryptographic hash and timestamp.
- A SOC 2 control map referencing one or more Trust Services Criteria.
- An ISO 27001 control map referencing the corresponding Annex A control(s).
- A reference to the originating policy version (ISO requirement).
- A reference to the relevant risk treatment plan entry (ISO requirement).
- The reviewer or approver identity (both standards, but ISO is stricter on attribution).
Without dual mapping, the same screenshot has to be re-collected, re-tagged, and re-stored for each framework. Teams running this manually typically spend 30–50% of compliance time on duplicate work that automated dual mapping eliminates.
What About HIPAA, HITRUST, and CMMC Overlap?
Most teams adding ISO 27001 to a SOC 2 program are eventually asked about HIPAA or CMMC. The good news: ISO 27001 Annex A maps cleanly onto HIPAA Security Rule safeguards and CMMC Level 2 practices for the technical controls. The bad news: each framework adds documentation requirements that ISO does not — for example, HIPAA's Business Associate Agreement obligation and CMMC's plan of action and milestones (POA&M) artifact. A unified evidence library should plan for at least four mapping layers: SOC 2 TSC, ISO 27001 Annex A + clauses, HIPAA Security Rule §§164.308/.310/.312, and CMMC practice families.
Frequently Asked Questions
Is ISO 27001 harder than SOC 2?
ISO 27001 is broader and more documentation-heavy because it audits the management system, not just technical controls. SOC 2 is narrower but has stricter expectations about operating effectiveness over a defined period. Most teams find SOC 2 Type II is a lighter first audit; ISO 27001 is harder the first time and easier the second time because the ISMS infrastructure persists.
Can I get ISO 27001 certified if I already have SOC 2 Type II?
Yes, and most of your technical evidence carries over. Plan for an extra 80–160 hours of work to build the ISMS documents (scope, SoA, risk treatment plan, management review minutes, internal audit programme) and to map your existing evidence to Annex A controls.
Does ISO 27001 require screenshots like SOC 2?
ISO 27001 does not mandate screenshots specifically — it accepts any "documented information" that proves a control is operating. In practice, screenshots are the cheapest and clearest way to evidence application-level controls (UI permissions, dashboards, internal tools) that no API can introspect. The auditor cares about authenticity and traceability, not the file format.
How long does an ISO 27001 audit take compared to SOC 2?
A first-time ISO 27001 audit typically runs 9–14 months from kickoff to certification: 4–8 weeks of Stage 1 readiness work, the Stage 2 audit itself, and remediation of any findings. SOC 2 Type II runs the observation period (6–12 months) plus 2–6 weeks of fieldwork. SOC 2 Type I can be done in 4–8 weeks total.
What changed in ISO 27001:2022 vs ISO 27001:2013?
ISO/IEC 27001:2022 reorganized Annex A from 114 controls into 93, grouped into four themes (Organizational, People, Physical, Technological). It also added 11 new controls including threat intelligence, cloud services, configuration management, web filtering, and secure coding. If your team has 2013 evidence, you need a remap — most controls survive but the IDs change.
Does Drata or Vanta cover ISO 27001 ISMS documents?
Drata and Vanta automate the technical control checks against APIs (encryption, MFA, vulnerability scanning) and provide template ISMS policies. They do not generate or maintain the live management review minutes, risk treatment decisions, or application-level UI evidence the auditor expects. Teams typically pair an API-based GRC tool with screenshot-based evidence automation and a written ISMS to fully cover ISO requirements.
Can the same risk register satisfy SOC 2 and ISO 27001?
Yes, if it includes the fields ISO 27001 requires — asset, threat, vulnerability, likelihood, impact, owner, treatment decision, residual risk, and review date — and is reviewed by management on a documented schedule. SOC 2 accepts almost any defensible risk register; ISO 27001 audits the methodology behind it.
Learn More About ISO 27001 Evidence Automation
For a complete guide to managing your ISMS documentation and Annex A requirements, see our guide on automating ISO 27001 evidence collection, including how to capture application-level controls that traditional tools miss.
Ready to Automate Your Compliance?
See what your compliance program looks like with your real systems.