Plenty of companies earn SOC 2 first — usually because their early customers are North American — and then hit a wall when a European or enterprise prospect asks for ISO 27001 instead. The good news is that you are not starting over. The two frameworks share the large majority of their control substance, so most of your SOC 2 work is directly reusable.
This guide maps the journey from a SOC 2 report to iso 27001 certification: what carries over untouched, what you need to add, and how to run the expansion as an efficient extension rather than a second full project.
Why SOC 2 gives you a head start
SOC 2 already required you to build and operate a real control environment: access management, encryption, logging, change management, vendor risk, incident response, and security awareness. ISO 27001 expects the same controls, just organised under its Annex A themes and wrapped in a formal management system.
That means the expensive, time-consuming part — actually implementing controls and getting teams to follow them — is largely done. What remains is mostly structural: adding the management-system layer ISO 27001 requires and re-presenting your evidence in its format.
In practice, companies expanding from SOC 2 often reach certification noticeably faster than those starting cold.
What carries over almost untouched
A large share of your SOC 2 program transfers directly. Your technical controls — identity and access management, MFA, encryption in transit and at rest, audit logging, vulnerability management, and secure development practices — satisfy the equivalent Annex A controls with little or no change.
Your operational controls transfer too: onboarding and offboarding, change approvals, backup and recovery, vendor reviews, and incident response procedures all map onto ISO 27001 expectations. Much of your existing evidence — tickets, logs, access reviews, training records — can be reused as-is.
Many of your policies will also need only light editing to align with ISO 27001 terminology and structure.
Free resource
The Complete Guide to ISO 27001
A practical, plain-English guide to building your ISMS and earning ISO 27001 certification.
What you need to add: the management system
The genuinely new work is the ISMS ‘wrapper’. ISO 27001’s mandatory clauses (4–10) require elements SOC 2 does not formally demand: a documented ISMS scope, an information security policy set, defined security objectives, and explicit context and interested-parties analysis.
You will also need a formal, repeatable risk assessment and risk treatment methodology, an internal audit programme, and a management review process. SOC 2 touches risk assessment, but ISO 27001 makes it the documented engine that justifies every control.
None of this is hard when your controls already exist — it is largely formalising and documenting the governance around work you are already doing.
The Statement of Applicability
One artefact has no direct SOC 2 equivalent: the Statement of Applicability (SoA). The SoA lists every Annex A control, states whether you have included or excluded it, and justifies each decision against your risk assessment.
Building it is mostly a mapping exercise. You walk the 93 Annex A controls, mark the ones your SOC 2 program already covers (most of them), note any that need new work, and record justified exclusions for anything genuinely not applicable.
Because you already operate most of the controls, the SoA tends to come together quickly — it documents reality rather than prescribing a wish list.
Mapping SOC 2 controls to Annex A
A control-mapping is the practical heart of the expansion. Take your SOC 2 control matrix and line it up against Annex A’s four themes — Organizational, People, Physical, and Technological. The exercise quickly reveals three buckets: controls that map cleanly, controls that need minor extension, and a small set of Annex A controls SOC 2 did not push you to formalise.
Typical gaps include threat intelligence, more explicit asset management, formal continuity planning, and some of the newer 2022 controls. These are usually quick to close because the supporting capability often already exists informally.
The mapping doubles as your gap analysis, giving you a precise, prioritised list of the (usually short) remaining work.
Reusing your evidence and tooling
If you used a compliance automation platform for SOC 2, much of its value carries straight over — many tools support ISO 27001 mappings out of the box, so the same integrations and automated evidence feed both frameworks. Your monitoring, ticketing, and HR systems continue to produce the records auditors want.
Even without a platform, the evidence habits you built for SOC 2 — regular access reviews, documented change approvals, retained logs — are exactly what an ISO 27001 auditor samples. You are extending an existing evidence engine, not building a new one.
That reuse is the single biggest reason the second framework costs far less than the first.
The audit differences to expect
The assessment ritual differs. Instead of a CPA firm producing a report, an accredited certification body runs a Stage 1 documentation review and a Stage 2 operational audit, then issues a certificate. Surveillance audits follow annually.
The Stage 1 review focuses heavily on the management-system documents that are new to you — scope, policy, risk method, and SoA — so getting those right is where expanding companies should concentrate. Stage 2 then tests the controls you already operate, which is familiar territory after SOC 2.
Teams that aced SOC 2 generally find Stage 2 comfortable; the surprises, if any, come from the governance layer.
A realistic plan for expanding
A sensible sequence: start with a control mapping and gap analysis against Annex A; stand up the management-system documents (scope, policy, objectives, risk method); run a formal risk assessment and produce the SoA; close the short list of gaps; then run an internal audit and management review before booking Stage 1 and Stage 2.
Because the controls are already live, much of this is documentation and governance work that can proceed in parallel with normal operations. Many companies complete the expansion in a fraction of the time their original SOC 2 took.
Sequencing the work this way keeps the expansion feeling like an add-on rather than a restart.
Make the most of the overlap
The strategic takeaway is to treat SOC 2 and ISO 27001 as two views of one security program, not two programs. Maintain a single control environment and evidence base, and produce each deliverable — the report and the certificate — from that shared foundation. Renewals then reinforce each other instead of competing for time.
This is precisely how ISpectra runs combined engagements: reusing your SOC 2 work to add ISO 27001 efficiently, including free VAPT, and applying a 10% multi-framework discount so the global certification costs far less as an extension than it would as a standalone project.
Add it once, maintain it together, and you cover both the North American and international markets from a single effort.
The bottom line
Expanding from SOC 2 to ISO 27001 is an extension, not a restart. Your controls, evidence, and tooling do most of the heavy lifting; the new work is the management-system layer — scope, policy, objectives, a formal risk assessment, internal audit, management review, and the Statement of Applicability.
Approached as one program with two outputs, the second credential is dramatically cheaper than the first and opens the international and enterprise doors that SOC 2 alone cannot. Map your controls, formalise the governance, close a short list of gaps, and book your Stage 1 and Stage 2 audits.
Done well, you end up with a single security program that produces both a SOC 2 report and an ISO 27001 certificate — the most efficient way to satisfy every market you sell into.
Free consultation
Need help with ISO 27001?
Talk to our certified compliance team — we’ve supported 200+ audits.