Free tool
ISO 27001 to SOC 2 control mapper
See how ISO/IEC 27001:2022 Annex A controls relate to the SOC 2 Trust Services Criteria, in both directions, with a confidence rating and a caveat on every mapping. A curated, hand-verified subset of the highest-value control areas to orient a crosswalk, not an authoritative or exhaustive mapping.
Identifiers are framework-derived; descriptions are original editorial content. Refer to ISO/IEC 27001:2022 (via your national standards body) and the AICPA Trust Services Criteria for official wording.
Organizational (A.5)
People (A.6)
Physical (A.7)
Technological (A.8)
Select a ISO 27001 control to see how it relates to the other framework.
Important
This tool is an editorial cross-reference aid to orient a mapping exercise, not an authoritative crosswalk, an audit, or a statement of conformity. The frameworks do not map one to one; mappings are judgement calls shown with a confidence rating. Confirm what evidence satisfies which criterion with your team and your auditor.
Frequently asked questions
Is this an authoritative ISO 27001 to SOC 2 crosswalk?
No. It is an editorial cross-reference to orient your own mapping work. The two frameworks do not line up one to one, mappings are judgement calls, and your auditor's view of what evidence satisfies which criterion is what ultimately matters. Each mapping carries a confidence rating and a caveat.
Why doesn't every control map cleanly?
ISO 27001 Annex A is a catalogue of 93 controls; SOC 2 is a set of criteria a CPA firm tests. One ISO control often relates to several SOC 2 criteria and vice versa, and SOC 2 has no direct equivalent for some ISO controls (and the reverse). Partial mappings explain where the fit is loose.
Does it cover the Availability, Confidentiality, and Privacy criteria?
It references the Availability and Confidentiality criteria where ISO controls relate to them, but those apply only if you include those categories in your SOC 2 report scope. Most SOC 2 reports cover the Security (common criteria) category; the others are optional.
Are these the official ISO and SOC 2 titles?
No. We deliberately do not reproduce ISO/IEC 27001:2022 Annex A control titles or the AICPA Trust Services Criteria text. We use only the identifier (e.g. A.8.15, CC7.2) plus our own plain-English description. Refer to the standards from your national standards body and the AICPA for the official wording.
Is this a curated subset or the full mapping?
A curated, hand-verified subset of the highest-value control areas, on purpose. A wide, lightly-checked crosswalk would be less trustworthy than a tighter, verified one. Use it as a starting point and confirm the full mapping for your scope with your team and auditor.
By ISMS Copilot.
Ready to do compliance work faster?
Built for speed, accuracy, and audit-ready output.