Control Mapping Matrix (SOC 2 ↔ ISO 27001)

Property	Value
Document ID	RISK-004
Version	1.0
Status	Draft
Owner	Chief Information Security Officer (CISO)
Last Updated	2026-01-11
Next Review	2027-01-11
Related Controls	SOC 2: All / ISO 27001: All

---

1. Purpose

This matrix maps SOC 2 Trust Services Criteria to ISO 27001:2022 Annex A controls, enabling efficient dual-framework compliance. It identifies control overlap and helps demonstrate coverage for audits.

---

2. Framework Overview

SOC 2 Trust Services Criteria Categories

Code	Category	Description
CC	Common Criteria	Core security controls (applies to all criteria)
A	Availability	System availability commitments
C	Confidentiality	Confidentiality of information
PI	Processing Integrity	Accuracy of system processing
P	Privacy	Personal information protection

ISO 27001:2022 Control Domains

Domain	Description	# Controls
A.5	Organizational Controls	37
A.6	People Controls	8
A.7	Physical Controls	14
A.8	Technological Controls	34

---

3. Control Mapping Matrix

CC1 - Control Environment

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC1.1	COSO principle 1: Integrity and ethical values	A.5.1, A.5.4	POL-001, Code of Conduct
CC1.2	COSO principle 2: Board oversight	A.5.4	Board/Exec meeting minutes
CC1.3	COSO principle 3: Management structure	A.5.2, A.5.4	Org chart, job descriptions
CC1.4	COSO principle 4: Commitment to competence	A.6.1, A.6.3	Job descriptions, training records
CC1.5	COSO principle 5: Accountability	A.5.2, A.5.4	Responsibility assignments

CC2 - Communication and Information

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC2.1	Information quality	A.5.10, A.5.33	Data governance, retention
CC2.2	Internal communication	A.5.1, A.6.3	Policy distribution, training
CC2.3	External communication	A.5.5, A.5.6	Contact procedures, public info

CC3 - Risk Assessment

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC3.1	Risk objectives	A.5.1, 6.1.2	Risk appetite, policy
CC3.2	Risk identification	6.1.2, 8.2	RISK-001 Risk Assessment
CC3.3	Fraud risk assessment	6.1.2, 8.2	Risk register
CC3.4	Change identification	6.1.2, A.8.32	Change management

CC4 - Monitoring Activities

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC4.1	Ongoing monitoring	A.8.15, A.8.16, 9.1	POL-007 Logging
CC4.2	Deficiency evaluation	A.5.35, A.5.36, 9.2, 9.3	Internal audit, management review

CC5 - Control Activities

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC5.1	Control selection	6.1.3, A.5.1	Control framework
CC5.2	Technology controls	A.8.1-A.8.34	PROC-003 Secure Config
CC5.3	Policy deployment	A.5.1, A.5.37	Policies, procedures

CC6 - Logical and Physical Access

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC6.1	Access security	A.5.15, A.8.2, A.8.3	POL-002, PROC-001
CC6.2	User registration	A.5.16, A.5.18	PROC-001 Provisioning
CC6.3	User deprovisioning	A.5.11, A.5.18	PROC-001 Offboarding
CC6.4	Physical access	A.7.1, A.7.2, A.7.3	Physical security
CC6.5	Information protection	A.5.12, A.5.13, A.8.10	POL-005 Data Classification
CC6.6	Authentication	A.5.17, A.8.5	POL-003, PROC-002 MFA
CC6.7	Encryption	A.8.24	POL-004 Encryption
CC6.8	Transmission security	A.5.14, A.8.24	TLS requirements

CC7 - System Operations

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC7.1	Vulnerability management	A.8.8	PROC-004 Patching
CC7.2	Security monitoring	A.8.15, A.8.16	POL-007 Logging
CC7.3	Incident detection	A.5.24, A.5.25	POL-008 Incident Response
CC7.4	Incident response	A.5.26, A.5.27	PROC-005 Playbook
CC7.5	Recovery	A.5.29, A.5.30, A.8.13	POL-009 Backup

CC8 - Change Management

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC8.1	Change authorization	A.8.32	POL-006 Change Management

CC9 - Risk Mitigation

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
CC9.1	Risk mitigation	6.1.3, 8.3	RISK-002 Treatment Plan
CC9.2	Vendor management	A.5.19-A.5.22	POL-010 Third-Party

---

4. Availability Criteria (A)

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
A1.1	Capacity management	A.8.6	Monitoring, auto-scaling
A1.2	Recovery operations	A.5.29, A.5.30, A.8.13, A.8.14	POL-009, DR procedures
A1.3	Recovery testing	A.5.30	DR test results

---

5. Confidentiality Criteria (C)

SOC 2 Criterion	Description	ISO 27001 Controls	Evidence/Policy
C1.1	Confidentiality classification	A.5.12, A.5.13	POL-005 Data Classification
C1.2	Confidential information disposal	A.8.10, A.7.14	Secure disposal procedure

---

6. Policy to Control Mapping

Policy/Procedure	SOC 2 Criteria	ISO 27001 Controls
POL-001 Information Security	CC1.1-CC1.5, CC2.2, CC5.1	A.5.1, A.5.2, A.5.4
POL-002 Access Control	CC6.1-CC6.3, CC6.6	A.5.15-A.5.18, A.8.2-A.8.3
POL-003 Password & Auth	CC6.6	A.5.17, A.8.5, A.9.4
POL-004 Encryption	CC6.7, CC6.8	A.8.24
POL-005 Data Classification	CC6.5, C1.1-C1.2	A.5.12, A.5.13, A.8.10-A.8.11
POL-006 Change Management	CC8.1	A.8.32
POL-007 Logging & Monitoring	CC4.1, CC7.2	A.8.15, A.8.16
POL-008 Incident Response	CC7.3, CC7.4	A.5.24-A.5.28
POL-009 Backup & Recovery	CC7.5, A1.2-A1.3	A.5.29-A.5.30, A.8.13-A.8.14
POL-010 Third-Party Security	CC9.2	A.5.19-A.5.23
PROC-001 Access Provisioning	CC6.2, CC6.3	A.5.16, A.5.18
PROC-002 MFA Configuration	CC6.6	A.8.5
PROC-003 Secure Configuration	CC5.2, CC6.7, CC7.1	A.8.9, A.8.20-A.8.22
PROC-004 Vulnerability Mgmt	CC7.1	A.8.8
PROC-005 Incident Playbook	CC7.4	A.5.26

---

7. Evidence Mapping by Control

Control Area	Evidence Types	Collection Frequency
Access Control (CC6)	Access reviews, provisioning tickets, IdP configs	Quarterly
Authentication (CC6.6)	MFA enrollment reports, policy configs	Quarterly
Encryption (CC6.7)	TLS scans, encryption configs	Quarterly
Logging (CC7.2)	SIEM configs, sample logs	Monthly
Incident Response (CC7.4)	Incident tickets, post-mortems	Per incident
Change Management (CC8.1)	Change tickets, deployment logs	Monthly
Vulnerability Mgmt (CC7.1)	Scan reports, remediation tickets	Weekly
Backup (CC7.5)	Backup logs, restore tests	Monthly
Vendor Management (CC9.2)	Assessments, contracts	Annually
Training (CC1.4)	Training completion records	Annually

---

8. Audit Preparation Checklist

SOC 2 Readiness

• All CC criteria addressed
• Policies documented and approved
• Evidence for 12-month period (Type II)
• Access reviews completed quarterly
• Incident response tested
• Penetration test completed
• Vendor assessments current

ISO 27001 Readiness

• Statement of Applicability complete
• Risk assessment documented
• Risk treatment plan in place
• Internal audit completed
• Management review conducted
• All applicable controls implemented
• Corrective actions tracked

---

9. Related Documents

• Statement of Applicability (RISK-003)
• SOC 2 Controls Overview (FW-001)
• ISO 27001 ISMS Overview (FW-002)
• Evidence & Audit Log Tracker (RISK-005)

---

10. Version History

Version	Date	Author	Changes
1.0	2026-01-11	Security Team	Initial release

---

This document is classified as INTERNAL. Unauthorized distribution is prohibited.