New: AI Compliance Intelligence — automate gap analysis across 30+ standards. Read the announcement
Back to all articles
Compliance Feb 4, 2026 · 9 min read

SOC 2 + ISO 27001: how we got both certifications without doubling the work

Our CISO breaks down the unified control framework that let us achieve SOC 2 Type II and ISO 27001 in the same audit cycle, with one set of evidence.

ET
Emma Thompson
CISO
Security padlock on circuit board

Most companies treat SOC 2 and ISO 27001 as two separate projects. That’s a costly mistake. Here’s how we ran them as one.

The 80% overlap

Of the 114 ISO 27001 Annex A controls and the 100+ SOC 2 control activities, roughly 80% map cleanly to a single underlying control. The rest is mostly framing.

Our 4-step approach

  • Build a unified control catalog mapped to both frameworks.
  • Run a single internal audit cycle, generating one evidence package.
  • Engage one auditor licensed for both (yes, they exist).
  • Use Quays Audit Workspace to share the same evidence with both audit streams.
ET
Written by
Emma Thompson
CISO

Keep reading

Document signing on a digital tablet
Compliance 9 min read

A practical guide to 21 CFR Part 11 e-signatures in 2026

Apr 22, 2026

Abstract neural network visualization
Product 6 min read

Introducing AI Compliance Intelligence: scan your QMS like CVE scanners scan code

Apr 28, 2026

Analytics dashboard with charts
Comparisons 12 min read

Quays vs Qualio vs MasterControl: an honest comparison

Apr 14, 2026

Unlock world-class
quality management

Join 2,000+ organizations that trust Quays to manage quality, compliance, and continuous improvement. See how it works for your team.

Request a Demo Watch overview