Reduce Cloud CostsLaunch & Scale on AWSBuild High-Performance PlatformsAdopt AI on AWSStay Secure & Audit-ReadyLaunch on AWS Marketplace
AWS Funding ProgramsCost Optimization ProgramAWS Resell (SPP)
FintechCybersecurityAI CompaniesSaaSGamingPublic SectorRetail & eCommerce
FinopticCase StudiesBlogAboutCareers
Get AWS Funding
All insights
Compliance·April 10, 2026 · 6 min read

ISO 27001 vs. SOC 2: What Each Audit Checks

SOC 2 and ISO 27001 both prove that security controls exist, but they look at different things. SOC 2 checks controls around a specific service. ISO 27001 checks the company-wide security management system behind those controls.

SOC 2 and ISO 27001 often appear next to each other in enterprise security questionnaires. They are related, but they are not the same audit. SOC 2 is mainly about whether a specific service is operated securely. ISO 27001 is about whether the company has a working information security management system.

This article is a practical comparison: what each one checks, what evidence is usually needed, and which teams inside the company are involved.

The Short Version

  • SOC 2 is an audit report prepared by a licensed CPA firm. It usually covers one product, platform, or service. The report is shared with customers under NDA.
  • ISO 27001 is a certification issued by an accredited certification body. It covers the company's information security management system within a defined scope.
  • SOC 2 answers: can customers trust this service to protect their data?
  • ISO 27001 answers: does the company manage information security in a structured, repeatable way?

What SOC 2 Checks

SOC 2 uses the AICPA Trust Services Criteria. Security is included in every SOC 2 report. Availability, Confidentiality, Processing Integrity, and Privacy can be added when they match the service and the customer requirement.

  • Access control: SSO, MFA, least privilege, privileged access, and access reviews.
  • Change management: code review, deployment approvals, production change history, and rollback process.
  • System operations: monitoring, alerting, backup jobs, recovery tests, and production runbooks.
  • Incident response: documented process, severity levels, ownership, incident records, and post-incident reviews.
  • Vendor management: which vendors are used, what data they touch, and how they are reviewed.
  • Data protection: encryption, key management, data retention, and secure deletion where relevant.

A Type I report checks whether the controls are designed correctly at one point in time. A Type II report checks whether those controls worked over a review period, usually several months.

What ISO 27001 Checks

ISO 27001 checks the Information Security Management System, usually called the ISMS. The ISMS is the company's operating model for security: scope, risks, policies, controls, internal audits, leadership review, and improvement.

  • ISMS scope: which teams, systems, products, offices, and cloud environments are included.
  • Risk assessment: how the company identifies, rates, accepts, and treats security risks.
  • Statement of Applicability: which ISO 27001 Annex A controls apply, which do not, and why.
  • Policies and procedures: access control, asset management, incident response, supplier security, backup, logging, acceptable use, and business continuity.
  • Internal audit and management review: proof that the company reviews the ISMS and improves it.
  • Corrective actions: how gaps are documented, assigned, fixed, and verified.

The Main Difference

SOC 2 goes deeper into the controls around a service. The auditor wants to see how the service is built, operated, monitored, changed, and protected during the audit period.

ISO 27001 goes broader across the company. The auditor wants to see that security is managed as a repeatable business process, with leadership involvement, risk management, internal review, and continuous improvement.

Departments Involved

Neither audit belongs only to DevOps or security. The technical team produces a lot of evidence, but several departments are usually involved.

  • Engineering, DevOps, and cloud teams: AWS configuration, CI/CD controls, logging, monitoring, backup, vulnerability management, incident response, and production access.
  • Security, compliance, or GRC: policies, risk register, evidence collection, control owners, audit coordination, and remediation tracking.
  • IT: identity provider, MFA, device management, employee onboarding and offboarding, endpoint security, and internal access reviews.
  • HR or People: security training, employee lifecycle records, role changes, disciplinary process, and background checks where applicable.
  • Legal and privacy: customer agreements, data processing terms, privacy notices, subprocessors, vendor contracts, and privacy requests.
  • Procurement and vendor owners: vendor list, vendor risk reviews, contract approvals, and follow-up on supplier issues.
  • Leadership: policy approval, risk acceptance, management review, budget, and ownership of major security decisions. Leadership involvement matters more in ISO 27001.
  • Sales and customer success: customer security questionnaires, sharing the SOC 2 report under NDA, and explaining the certified ISO 27001 scope.

Evidence Auditors Ask For

  • Approved security policies and proof that employees know them.
  • Access review exports from the identity provider, AWS, GitHub, production databases, and support tools.
  • MFA and SSO configuration screenshots or automated evidence from the compliance platform.
  • Pull requests, approvals, deployment logs, change tickets, and emergency change records.
  • CloudTrail, GuardDuty, Security Hub, AWS Config, Inspector, backup jobs, and alert history.
  • Incident records, tabletop exercises, post-incident reviews, and customer notification procedures.
  • Vendor reviews, subprocessors, signed contracts, and proof that critical vendors are reviewed periodically.
  • For ISO 27001 specifically: ISMS scope, risk register, risk treatment plan, Statement of Applicability, internal audit results, management review minutes, and corrective action records.
  • For SOC 2 specifically: system description, service commitments, trust criteria in scope, control matrix, and evidence from the Type I or Type II review period.

AWS Controls That Usually Support Both

  • IAM Identity Center with MFA, least privilege, permission sets, and periodic access reviews.
  • CloudTrail enabled across accounts and regions, with logs protected from deletion.
  • KMS encryption for S3, RDS, EBS, DynamoDB, backups, and secrets.
  • AWS Config, Security Hub, GuardDuty, and Inspector for configuration checks, security findings, and vulnerability evidence.
  • AWS Backup, restore testing, and documented recovery objectives.
  • Infrastructure as code, pull request reviews, deployment approvals, and clear separation between development and production.

What They Do Not Prove

  • SOC 2 does not certify the whole company. It covers the system and criteria defined in the report.
  • ISO 27001 does not prove every product control is perfect. It proves the ISMS is certified within the defined scope.
  • Neither audit replaces secure engineering. They prove that controls exist, are documented, and are being operated.

How We Help

We help companies prepare the AWS and engineering side of SOC 2 and ISO 27001: identity, logging, monitoring, encryption, backups, CI/CD controls, evidence automation, and audit support.

We also help translate the technical controls into language that auditors and non-technical departments can work with, so the audit does not become a last-minute evidence hunt.

Want to talk through this for your stack?

Free 30-minute call. No commitment.

Book a call

More from the field

Reserved Instances vs. Savings Plans - Which One Saves You More MoneySOC 2 on AWS: The Controls That Get AuditedTerraform at Scale: Module Patterns That Work
Book a Free Call
ISO 27001 vs. SOC 2: What Each Audit Checks | Dcode | Dcode.tech