Pre-audit preparation that produces the control library, evidence runbooks, and gap analysis your auditor expects to see on day one.
SOC 2 Trust Services Criteria mapped to ISO 27001:2022 Annex A. One control library, two frameworks.

A one-time engagement preparing your email infrastructure for SOC 2 Type II attestation, ISO 27001:2022 certification, or both. The deliverables: dual-framework control mapping covering SOC 2 Trust Services Criteria (Security mandatory plus your selected criteria from Availability, Processing Integrity, Confidentiality, Privacy) and ISO 27001:2022 Annex A controls (93 controls across Organizational, People, Physical, and Technological themes); control-evidence cross-walk identifying which technical artefacts satisfy which controls in which framework; pre-audit gap analysis identifying controls without sufficient current evidence; evidence collection runbooks documenting how to produce ongoing evidence for each control during the Type II observation window; Statement of Applicability (SoA) draft for ISO 27001 documenting included controls and exclusion rationale; auditor coordination preparation including expected questions, evidence inventories, and walkthrough planning; risk assessment and risk treatment plan templates aligned with ISO 27001 ISMS requirements. One-time engagement EUR 2,499, delivery in 14 business days. This service prepares for audit; it does not provide the audit attestation itself, which must come from an independent CPA firm (SOC 2) or accredited certification body (ISO 27001).

SOC 2 is an attestation report issued by an independent CPA firm against the AICPA Trust Services Criteria. It evaluates your service organization's controls protecting customer data. SOC 2 Type I evaluates design at a point in time; SOC 2 Type II evaluates design and operating effectiveness over a 6-12 month observation window. SOC 2 reports are confidential (shared under NDA with customers), valid 12 months, and dominant in North American enterprise procurement. ISO 27001 is an international certification issued by an accredited certification body against the ISO/IEC 27001:2022 standard. It evaluates your Information Security Management System (ISMS) including documented policies, risk assessment, risk treatment, and 93 Annex A controls. Certification is public, valid three years with annual surveillance audits, and more common in European, government, and international procurement. The 2026 sequencing advice: if most customers are North American, start with SOC 2; if European or international, start with ISO 27001; if global, plan for both (the 65-75% control overlap means the second framework is incremental effort after the first).

Building controls and evidence once such that the same artefacts satisfy both frameworks rather than running two separate compliance projects. The mechanism: 65-75% of SOC 2 Common Criteria map directly to ISO 27001:2022 Annex A controls per the AICPA cross-walk and the CyberSierra March 2026 mapping guide. Access control (SOC 2 CC6.1 maps to ISO A.5.15 and A.8.2), incident response (SOC 2 CC7.4 maps to ISO A.5.26), change management (SOC 2 CC8.1 maps to ISO A.8.32), vendor management (SOC 2 CC9.2 maps to ISO A.5.19-5.22), cryptography (SOC 2 CC6.7 maps to ISO A.8.24), encryption in transit and at rest, monitoring and logging, secure development, and physical security all overlap substantially. The engagement produces a single control library with each control mapped to both frameworks, each piece of evidence tagged with both control IDs, and each policy document satisfying both required language requirements. The default-to-stricter rule applies: where ISO requires quarterly evidence and SOC 2 requires annual, we set the cadence quarterly to satisfy both.

ISO/IEC 27001:2022 is the current version of the standard, mandatory for all new certifications and recertifications since October 2025. It supersedes ISO 27001:2013 which had 114 controls in 14 categories; the 2022 revision reorganises controls into 93 controls across four themes (Organizational, People, Physical, and Technological) and adds 11 new controls covering threat intelligence (A.5.7), information security for cloud services (A.5.23), ICT readiness for business continuity (A.5.30), physical security monitoring (A.7.4), configuration management (A.8.9), information deletion (A.8.10), data masking (A.8.11), data leakage prevention (A.8.12), monitoring activities (A.8.16), web filtering (A.8.23), and secure coding (A.8.28). Operations certified under 27001:2013 had until October 2025 to transition to 27001:2022; any new engagements in 2026 build directly against the 2022 standard.

Three distinct timelines depending on framework and starting posture. SOC 2 Type I (design only): 1-2 months from this engagement completion to audit kickoff, 4-8 weeks audit duration, report issued within 30 days of fieldwork completion. SOC 2 Type II (design plus operating effectiveness): minimum 6-month observation window after this engagement plus audit completion, typically 8-14 months total from engagement to issued report. ISO 27001 (Stage 1 plus Stage 2): 3-6 months from this engagement to Stage 1 readiness review, 1-3 months between Stage 1 and Stage 2 to address findings, Stage 2 audit then 2-4 weeks for certification decision, typically 4-9 months total. The engagement positions you to begin the audit process immediately upon completion; the audit timeline itself depends on the auditor or certification body schedule and the framework-specific observation requirements. For SOC 2 Type II specifically, the operating effectiveness window cannot be compressed below 6 months regardless of preparation quality.

The ISMS management system wrapper is the structural difference between SOC 2 and ISO 27001 that surprises operations approaching ISO from a SOC 2 background. SOC 2 evaluates whether you have effective controls against the Trust Services Criteria. ISO 27001 evaluates whether you have effective controls AND a documented management system that maintains those controls over time. The management system requires: documented information security policy approved by leadership, documented risk assessment methodology, risk assessment performed and documented, risk treatment plan with explicit risk acceptance decisions, Statement of Applicability listing all 93 Annex A controls with included/excluded status and exclusion rationale, internal audit program with documented internal audit reports, management review meetings with minutes and action items, continuous improvement records, and document control with version history. Organizations coming from SOC 2 often have the technical controls but lack the management system structure. The engagement produces all the management system documentation templates required, including the SoA, risk treatment plan, internal audit calendar, and management review template, sized appropriately for email infrastructure operations rather than a Fortune 500.

The gap analysis evaluates your current operational state against each control in your chosen framework(s) and identifies where evidence is sufficient versus where remediation is needed before audit. The process: control-by-control walkthrough with operational team members reviewing what currently exists; evidence inventory documenting the specific artefacts (logs, screenshots, configuration files, policy documents, training records) that support each control; gap rating per control (sufficient, partial, missing) with severity weighting based on audit impact; remediation recommendations for each gap with effort estimates and proposed timelines; mock auditor questions for each control area predicting what the auditor will ask and identifying weak evidence; readiness scorecard summarising overall posture and audit timing recommendation. The gap analysis is the deliverable that determines whether you should schedule audit immediately, run 2-3 months of remediation first, or pause for 6-12 months of foundational work before audit kickoff. Honest gap analysis is more valuable than optimistic gap analysis; the engagement is structured to surface real issues rather than minimise them for cosmetic readiness.

Five exclusions worth being explicit about. First: the audit itself. SOC 2 attestation must be issued by an independent CPA firm; ISO 27001 certification must be issued by an accredited certification body (UKAS, ANAB, or equivalent national accreditation in your jurisdiction). We prepare you for audit; we do not perform audit. Second: ongoing compliance operations after audit. Maintaining controls during the Type II observation window or the ISO surveillance audit periods is operational work; this engagement produces the foundation but not the ongoing maintenance. Third: legal counsel on data protection or contractual matters. Compliance frameworks intersect with GDPR, CCPA, HIPAA, and other regulatory regimes; legal interpretation requires qualified counsel which we are not. Fourth: penetration testing or vulnerability assessment. Both frameworks expect technical security testing as evidence; this engagement coordinates with external testing providers rather than performing the testing itself. Fifth: auditor selection or referral. We can advise on selection criteria but the auditor relationship is yours to establish directly with the audit firm.