SOC 2 Type II + ISO 27001 + ISO 27701: what the combination actually proves

When a vendor presents SOC 2 Type II, ISO 27001, and ISO 27701 certifications together, the compliance documentation package looks impressive. But what does the combination actually prove — and how should a buyer read it? This post is a practical guide to what each framework covers, why the combination matters, and what to verify when a vendor claims to hold all three.

Our own program is aligned to all three frameworks; formal certification across each is on our roadmap. We wrote this as a buyer’s guide because the question we hear most from procurement teams isn’t “do you have these certifications” — it’s “what do they mean and what should I actually look at?”

Why one certification isn’t enough

A single compliance certification is a vendor’s assertion that a specific auditor, using a specific framework, at a specific point in time, found the controls examined to be in place. Each part of that sentence limits what it proves.

A specific auditor. Audit quality varies. A SOC 2 report from a firm conducting a thorough, adversarial engagement is more compelling evidence than a report from a firm performing a checkbox exercise against a vendor-provided control list. The report doesn’t advertise which engagement it was. Multiple frameworks from multiple audit bodies reduce the risk that any single lax audit is the only thing standing between a customer and a false sense of security.

A specific framework. No single compliance framework covers everything. SOC 2 is broad but silent on many privacy specifics. ISO 27001 is strong on information security management systems but wasn’t designed with data processing controller/processor accountability in mind. HIPAA covers PHI in the US but has nothing to say about organizational information security management. Multiple frameworks provide overlapping and complementary coverage.

A specific point in time. A Type I report covers controls at a point in time. A Type II report covers controls over an observation period — typically 12 months. But even a Type II report becomes stale. A vendor with a SOC 2 Type II report that’s two years old is a different risk posture than one with a current report. Ongoing certifications provide better assurance than one-time snapshots.

The controls examined. Every framework is scoped. SOC 2 is scoped to the Trust Services Criteria the vendor selected and the systems in scope. ISO 27001 is scoped to the ISMS boundary the vendor defined. A vendor can pass SOC 2 while having significant security gaps in systems excluded from scope. The combination of multiple frameworks with different scoping approaches makes it harder to hide gaps.

What each framework covers

SOC 2 Type II is an attestation report produced under AICPA AT-C Section 205, evaluating controls against the Trust Services Criteria (TSC). The five TSC categories are Security (CC), Availability (A), Processing Integrity (PI), Confidentiality (C), and Privacy (P). SOC 2 is flexible: the vendor chooses which TSC categories to include in scope (Security is always required; the others are optional). The report covers the design and operating effectiveness of controls over an observation period, typically 6–12 months.

What SOC 2 proves well: that specific controls were operating effectively over the observation period, as observed by an independent auditor. The Type II report is the strongest evidence for control operating effectiveness over time.

What SOC 2 doesn’t prove well: the comprehensiveness of the control environment. The vendor defines the scope; an auditor who finds the controls within that scope to be effective isn’t attesting to the controls outside scope. The Privacy TSC (P) in SOC 2 covers privacy commitments but is less granular than a dedicated privacy framework.

ISO 27001 is an international standard for information security management systems (ISMS), published by ISO/IEC. A certified organization has established, implemented, maintained, and continually improved an ISMS that meets the standard’s requirements, as verified by an accredited certification body. Annex A contains 93 controls across four categories that map into the ISMS.

What ISO 27001 proves well: that the vendor has a systematic, documented approach to information security management with management commitment, risk assessment processes, defined objectives, and continuous improvement. The Annex A controls cover physical security, access control, cryptography, incident management, supplier relationships, and business continuity at a depth SOC 2 doesn’t prescribe.

What ISO 27001 doesn’t prove well: operating effectiveness over time at the granularity of individual control events. ISO 27001 certification is based on assessment against the standard; it’s not a transaction-level audit log of what happened over an observation period. It also doesn’t address privacy-specific obligations like data subject rights, lawful basis for processing, or data processor accountability in depth.

ISO 27701 is an extension to ISO 27001, published as ISO/IEC 27701:2019. It extends the ISMS framework to address privacy information management, creating what the standard calls a Privacy Information Management System (PIMS). ISO 27701 adds requirements and guidance for Privacy Information Controllers (PICs) and Privacy Information Processors (PIPs) — organizations that collect and process personal data, and organizations that process personal data on behalf of controllers, respectively.

Annex A of ISO 27701 adds 31 PIMS-specific controls for PICs. Annex B adds 18 PIMS-specific controls for PIPs. The combined Annex A and B controls cover: defining purposes for personal data processing; collecting only what’s necessary; respecting data subject rights; maintaining accurate data; defining retention periods; handling data subject requests; managing privacy incidents; and implementing privacy-by-design principles.

The privacy-coverage gap ISO 27701 closes

This is where the combination earns its complexity overhead.

SOC 2’s Privacy TSC (P) covers privacy commitments — the statements a vendor makes about how it will handle personal data. It evaluates whether the vendor notifies data subjects, collects only consented data, gives subjects access to their data, corrects errors, and so on. This is meaningful but relatively shallow: it examines the commitments and the controls around those commitments, not a deep operational framework for privacy management.

ISO 27001 Annex A has several controls that touch privacy (A.5.34 Privacy and protection of personally identifiable information; various A.8 technology controls) but these are components within a broader ISMS, not a systematic privacy management framework.

Neither framework provides a structured approach to the data processor accountability question: when a vendor processes personal data on behalf of customers (as a data processor), what specific operational obligations does that create? What policies, procedures, and technical controls govern how the processor handles data subject requests forwarded by the controller? How are processor-side privacy incidents documented and reported to the controller?

ISO 27701 Annex B answers these questions directly. For a file-transfer vendor that processes regulated personal data on behalf of customers, the PIP controls in ISO 27701 Annex B create specific, audited obligations around:

• Processing only to the instructions of the controller (customers)
• Assisting the controller in meeting data subject rights obligations
• Engaging sub-processors only with the controller’s authorization and with equivalent obligations
• Supporting security incident notification to the controller
• Returning or deleting personal data at end of engagement

This is the gap the SOC 2 Privacy TSC and ISO 27001 leave open. A customer that handles PHI, CUI, or financial records and needs to evaluate their file-transfer vendor’s privacy operational posture — not just their security controls — needs ISO 27701 coverage to complete the picture.

How to read a vendor’s combined evidence package

When a vendor presents SOC 2 + ISO 27001 + ISO 27701 documentation, here’s what to verify:

Current reports and certificates. SOC 2 Type II reports should be from an observation period ending within the past 12 months. ISO 27001 and ISO 27701 certificates should have current validity dates and should not have been suspended. Ask for the most recent surveillance audit date for ISO certifications.

Scope alignment. The scope of each certification should match the systems that handle your data. A vendor’s SOC 2 report scoped to their US-East region doesn’t cover their US-West region. ISO 27001 scope should explicitly include the systems and locations where your transfers are processed and stored.

Auditor identity and accreditation. For SOC 2, the CPA firm should be identifiable. For ISO 27001 and 27701, the certification body should be accredited by an IAF-recognized national accreditation body. Accreditation matters: an ISO certificate from an unaccredited certification body provides weak assurance.

Annex coverage. For ISO 27001, verify that the certification covers the relevant Annex A control domains — not just security management but also supplier relationships, incident management, and access control. For ISO 27701, verify that both PIC and PIP Annexes are in scope if the vendor processes data on your behalf.

Customer responsibilities. Every framework separates vendor responsibilities from customer responsibilities. SOC 2 reports include “complementary user entity controls” (CUECs) — controls the customer must implement for the vendor’s controls to be effective. Read the CUECs; they describe what the vendor is assuming you have in place. If you don’t have those controls, the audit report’s assurance doesn’t apply to your deployment.

The bridge between frameworks. Ask the vendor how their ISO 27001 Annex A controls map to the AICPA Trust Services Criteria in their SOC 2 report. Gaps in that mapping are gaps in overall coverage. A vendor with a mature compliance program can produce this mapping readily.

What this means for vendor evaluation

The combination of SOC 2 Type II, ISO 27001, and ISO 27701 — when a vendor genuinely holds all three with current, accredited certifications — is the most complete picture currently available from standard frameworks for a file-transfer vendor processing regulated personal data. It’s not a guarantee — compliance documentation is not the same as security — but it represents genuine operational commitment to maintaining controls that have been independently verified across different dimensions.

When evaluating vendors, ask for specifics: current report dates, scope documentation, auditor accreditation, and CUECs. A vendor who can answer all of those questions readily, with current evidence, is a different risk posture than one who presents summary marketing claims. The certification matters less than the evidence behind it.