PlatformWhy ArvexLabAI EngineFree ToolsSecurityResources
Back to Resources
TPRM9 June 20269 min read

SOC 2 vs ISO 27001: What Each Actually Proves About a Vendor

By ArvexLab Team — Compliance Research

The one-line difference

A SOC 2 is an *attestation report* written by an auditor: you read it. An ISO 27001 is a *certificate*: you verify it. Both are strong signals that a vendor takes security seriously — but they prove different things, and reading them the wrong way gives false comfort.

SOC 2, explained

SOC 2 (System and Organization Controls 2) is an AICPA attestation based on the Trust Services Criteria: Security (always included), plus optionally Availability, Processing Integrity, Confidentiality and Privacy.

  • Type I assesses whether controls are *suitably designed* at a single point in time.
  • Type II assesses whether they *operated effectively* over a review period (commonly 3–12 months).

A SOC 2 is an opinion from a licensed CPA firm, not a certificate. The report contains the auditor's opinion, management's assertion, a system description, the controls with the tests performed and their results, any exceptions (deviations), the treatment of subservice organizations, and complementary user-entity controls — the things *you* must do for the vendor's controls to work. Reports are usually shared under NDA.

ISO 27001, explained

ISO/IEC 27001:2022 is an international standard for an Information Security Management System (ISMS). An accredited certification body audits the organization and issues a certificate.

  • The 2022 revision has 93 Annex A controls across four themes (Organizational, People, Physical, Technological).
  • A Statement of Applicability (SoA) documents which controls apply and why.
  • The certificate is valid for three years, with annual surveillance audits.

The certificate is the shareable credential — so the verification work is checking the scope, the issuing body's accreditation, and the validity dates. The detailed evidence (the SoA, the audit findings) is usually not shared.

Side by side

SOC 2ISO 27001
OutputAttestation report (you read it)Certificate (you verify it)
OriginAICPA (US)ISO/IEC (international)
Detail sharedHigh — controls, tests, exceptionsLow — certificate + scope
Time dimensionType II shows effectiveness over a periodCertified ISMS, 3-year cycle
What to checkScope, period, exceptions, CUECsScope, accreditation, validity dates

How to actually read each

  • Check the scope. Does the report or certificate cover the *specific service* you use, or a different part of the vendor's business?
  • SOC 2: read the exceptions. A clean report with three material exceptions is not a clean report.
  • SOC 2: check the period. A Type II covering a three-month window tells you less than one covering a year.
  • ISO 27001: verify accreditation. A certificate from a non-accredited body is worth little. Confirm the scope statement matches your service.

What neither one proves

Neither a SOC 2 nor an ISO 27001 certifies the vendor is "secure" in the abstract, on the day you read it. Both are point-in-time or period-based, both depend on scope, and both assume you correctly configure and use the service. Treat them as strong evidence to interpret, not a pass/fail stamp.

Under NIS2 and DORA

Neither certification is mandatory under NIS2 or DORA, and neither automatically satisfies them — but both are valuable evidence for vendor due diligence and your own control mapping. See how the frameworks overlap with our framework overlap tool, and why vendor risk matters even without a mandate in this guide.

A quick vendor-review checklist

  • Confirm the report/certificate covers the service you actually consume
  • For SOC 2, read the exceptions and the review period
  • For ISO 27001, verify accreditation, scope and validity
  • Map the controls to your obligations (NIS2 / DORA / GDPR / ISO 27001)
  • Re-check at renewal — evidence expires

How ArvexLab helps

Drop a vendor's SOC 2 or ISO 27001 into ArvexLab and the AI extracts the controls with confidence scores, flags exceptions, and maps them to NIS2, DORA, GDPR and ISO 27001 — so a human reviews findings instead of re-reading 80-page PDFs. See the platform.

Sources

*This article is for general information only and is not legal or audit advice. Certification scope and requirements vary; consult the relevant standard and qualified professionals for your situation.*

Ready to assess your NIS2 readiness?

Use our free self-assessment tool or speak with our compliance team.

Start NIS2 AssessmentContact Us

Related Articles

TPRM

NIS2 Supply Chain Security: The Art. 21(2)(d) Guide

Article 21(2)(d) makes supply chain security a legal obligation for 160,000+ EU entities. Third-party breaches cost USD 4.91M on average. This step-by-step guide covers classification, contracts, and monitoring.

13 April 2026|14 min read
TPRM

Your Vendors All Depend on AWS: The Fourth-Party Concentration Risk Nobody Is Measuring

We scraped the GDPR subprocessor pages of 10 major SaaS vendors. Every single one depends on AWS. 90% use Google Cloud. 80% use Twilio for notifications. Here is what that means for your organisation.

16 April 2026|13 min read
TPRM

When 100 Million Weekly Downloads Get Weaponised: The Axios Attack and Your NIS2 Obligations

North Korea's Lazarus Group compromised the Axios npm package — present in 80% of cloud environments. If you are an EU entity under NIS2, here is exactly what you must do and by when.

15 April 2026|12 min read

Get NIS2 Insights Weekly

Stay ahead of EU compliance requirements. Practical guidance on NIS2, DORA, and third-party risk management delivered to your inbox.