ISO 27001
SOC 2 and ISO 27001: Take advantage of common criteria mapping for compliance

SOC 2 and ISO 27001: Take advantage of common criteria mapping for compliance

You’ve probably heard this maxim at one time or another: “Work smart, not hard.”  If your company has already achieved a SOC 2 report or an ISO 27001 certification, you’re likely well on your way to obtaining the other. If you haven’t earned either, there are a ton of benefits to achieving both in one fell swoop.

You can “work smart” by strategically taking advantage of common criteria for compliance, or overlapping requirements, so you don’t have to spend additional resources earning your next security standard. In this article, we’ll take a quick tour of SOC 2 and ISO 27001, why it’s a good idea to pursue both, and why it’s smart to take advantage of common criteria mapping to save time and money. 

What is SOC 2 and who needs it?

Known as the gold standard of US compliance frameworks, SOC 2 is a set of criteria that assesses a company’s security procedures and protocols. Created by the American Institute of CPAs (AICPA), SOC 2 reports assure potential vendors and partners that you’ve established strong security guidelines. It signifies a commitment to data security and constant risk management. 

SOC 2 is not a legally mandated certification—it is an attestation report typically generated by a third-party auditor. Although it is not a requirement, US-based businesses that wish to gain new channels of revenue will, at some point, be asked to prove their security by prospective clients. 

What is ISO 27001 and who needs it?

ISO 27001 is a security framework created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 is an international security standard unlike SOC 2 which is only relevant to US entities. 

The purpose of ISO 27001 is to help organizations preserve the confidentiality, integrity, and availability of all data and information. This requires an Information Security Management System (ISMS) that can monitor and protect a company’s people, processes, and technology. 

Just like SOC 2, obtaining an ISO 27001 certification shows that your organization is trustworthy and can prove its security practices. ISO 27001 is not a legal requirement. It’s a certification that international clients and business partners are likely to request before making a deal. Once an audit is conducted by a licensed third-party, an ISO certification may be awarded. 


Should your company pursue SOC 2 and ISO 27001? 

Just because SOC 2 and ISO 27001 have similar goals and requirements, does that mean your company should pursue both? The short answer is: it depends. If your company has no interest in becoming an international organization, a SOC 2 is likely the best option. 

In contrast, if your company is outside the US and has no plans to enter the North American market, ISO 27001 is likely sufficient. Companies that seek international growth and revenue will gain many benefits from obtaining both standards. 

Achieving ISO 27001 and SOC 2 compliance serves as a strong market differentiator between you and the competition. When a prospective client is weighing their options, providing proof of both standards can tip the scales in your favor.

What is common criteria mapping for compliance?

If SOC 2 and ISO 27001 are in your company’s future, you’re in luck because both of their frameworks have a lot in common. Many requirements, controls, and criteria overlap which means that there’s a strong chance you won’t have to double your efforts. By strategically and simultaneously fulfilling criteria for each standard, you can streamline the compliance process. This is known as common criteria mapping. 

So how much overlap is there? Because every company is subject to a specific set of criteria and controls there’s no definitive answer. However, AICPA’s mapping spreadsheet demonstrates that the vast majority of SOC 2 and ISO controls overlap. 

SOC 2 is composed of specific controls housed within five governing principles known as the Trust Services Criteria.

  • Security
  • Availability
  • Confidentiality
  • Privacy
  • Processing Integrity

ISO 27001 consists of controls that exist within 10 "clauses" which cover the security responsibilities of an organization.

  • Scope 
  • Normative references 
  • Terms and definitions 
  • Context
  • Leadership
  • Planning and risk management
  • Support
  • Operations
  • Performance evaluation
  • Improvement


What are the benefits of common criteria mapping?

If you’ve obtained a SOC 2 report or an ISO certification, you’re in a good position to build on top of what’s already established. And if you have yet to earn either standard, it makes a lot of sense to tackle them simultaneously. Here are a few reasons why. 

Save time and resources: By strategically fulfilling criteria for SOC 2 and ISO 27001, you’re essentially getting a two-for-one deal. Frontloading your efforts in this manner is cost effective and resource efficient.  

Expand your information security program quickly: Achieving SOC 2 and ISO in one fell swoop gives your security program a significant boost. For fast-growing companies, this level of progress is priceless.  

Build a cohesive internal security structure: Accomplishing multiple compliance goals at the same time gives you the ability to document, maintain, and improve your security holistically. This ensures you never have to deconstruct a siloed security environment. 

Streamline your compliance goals with Vanta 

SOC 2 and ISO 27001 contain specific criteria and controls, however; organizations do not need to adhere to all of them. So how do you know which ones to follow? By working with a trusted compliance partner like Vanta, you can receive expert consultation on how to move forward.

Vanta’s automated compliance platform continuously monitors your security posture. It provides detailed information about the status of all your standards, and when you make progress on one, you’ll know exactly where you stand with all the others. 

Learn more about SOC 2 and ISO 27001 

SOC 2 vs. ISO 27001 Compliance: Why You Need Both

Get your free SOC 2 checklist here
Get your free ISO 27001 checklist here

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes