There is a lot of overlap between ISO 27001:2022 and SOC 2. So, if your organisation has an ISO 27001-conformant ISMS in place, this will be a great starting point for meeting the requirements of SOC 2, although some extra effort will be required to become fully compliant. As a very rough ‘rule of thumb’, having an ISMS that is fully conformant to ISO 27001 represents around 75% of what will be required to achieve a successful SOC 2 audit. However, further work will be needed to ensure that you can fully evidence the operational effectiveness of your information security controls over the defined reporting period, and to ensure that you have appropriate processes and controls in place for the areas of people management, organisational governance and communication that are not included in ISO 27001.
From beginning to end URM made achieving PCI compliance incredibly easy & worked with us to educate us on the requirements. They were always available for a call whenever we needed to discuss queries along the way & were always flexible to our internal deadlines. We would highly recommend URM from a consultancy & auditing perspective.
Prize competition business
Planning for SOC 2 or reviewing your readiness?
Whether you are at an early planning stage or preparing for an assessment, we offer a free introductory call to help you understand expectations, risks, and the most proportionate route forward. No obligation, just clear and practical advice.
Find out more
related BLog
Preparing for a Successful SOC 2 Audit
Published on
17 Oct
2025
URM’s blog offers key advice on what to expect from your SOC 2 audit in practice, the types of evidence you will need to provide, how best to prepare, and more.
Read more
Information Security
Published on
29/8/2025
SOC 2 ExplainedURM’s blog answers key questions about SOC 2, including what it is & who it applies to, why it is beneficial, how SOC 2 reports are structured & more.
Read more
"
It’s one thing having the required technical knowledge, it’s another thing for a consultant to apply that knowledge to the context of our organisation. To use a sporting analogy, we view cyber and information security as a marathon not a sprint. I am not a believer in doing everything all at once. Our approach has been risk based and incremental, remediating our biggest risks first before moving on. I believe this approach is far more sustainable and effective. And URM’s consultants fully understand this and are very pragmatic and tailored in their guidance and advice. They know we are not implementing ISO 27001 purely for the certificate, but more as a framework for continual improvement, and at a pace where new systems and processes can be fully understood and absorbed by our team and be business as usual.
The Owners and Distributors of Quality Brands
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.