SOC 2 & ISO 27001 Evidence Mapping
Build the control set once. Satisfy both audit cycles.
For organisations running SOC 2 and ISO 27001 in parallel: design and implement a single evidence-grade control set that satisfies both the AICPA Trust Services Criteria and ISO/IEC 27001:2022 Annex A, without duplicating evidence collection.
02Typical triggers
When this service is on the desk.
- 01Customer asks for both SOC 2 Type 2 and ISO 27001
- 02New SOC 2 examination period starting
- 03ISO 27001 recertification approaching
- 04Evidence collection running twice for the same control
03Typical outputs
Artefacts that earn the audit, the customer or the board.
- ·Common control catalogue mapped CC1–CC9 ↔ Annex A
- ·Single Statement of Applicability with attestation overlay
- ·Evidence pack reusable across both audit cycles
- ·Auditor walkthrough notes for SOC 2 examiner and ISO certifier
- ·Annual audit calendar combining both cycles
04Engagement shapes
Three ways the engagement is typically scoped.
SHAPE 01
Joint readiness
10–14 week joint readiness for SOC 2 Type 1 + ISO Stage 1.
SHAPE 02
Mapping only
4–6 week mapping engagement against existing programmes.
SHAPE 03
Continuous
Annual retainer covering both surveillance audits.
DELIVERED BY
Paul Jolliffe
FOUNDER · INFOSECAI · MBA · CISSP · ISO 27001:2022 LA / LI / IA · PRINCE2 Practitioner
Twenty years of senior security leadership across financial services, healthcare, government, telecoms and technology. Engagements are senior from day one: no subcontracted juniors, no introduce-and-exit.