Table of Contents

Reach SOC 2 Compliance in 6 Weeks or Less.

  / SOC 2 to ISO 27001 Mapping: A Crosswalk Guide

SOC 2 to ISO 27001 Mapping: A Crosswalk Guide

A company that already holds a SOC 2 report has, by most industry estimates, already built somewhere between 60 and 80 percent of what ISO 27001 certification requires. Yet only a small fraction of organizations actually capture that overlap. Teams run the second framework as a fresh project, rewrite policies that already exist, and re-collect evidence they already have on file. The result is paying twice for the same security program.

SOC 2 to ISO 27001 mapping is the discipline that stops this. It is a control crosswalk: a structured comparison that shows which SOC 2 controls already satisfy which ISO 27001 requirements, where the genuine gaps sit, and what new work the second framework actually demands. Done well, it turns the second audit from a rebuild into a mapping exercise.

SOC 2 to ISO 27001 Mapping

What Is SOC 2 to ISO 27001 Mapping?

SOC 2 to ISO 27001 mapping links each SOC 2 Trust Services Criterion to its corresponding ISO 27001 clause or Annex A control. The output is a single control library: each control is defined once, tagged to both frameworks, and backed by evidence that both auditors will accept.

Worth being clear about upfront: a crosswalk does not make you compliant with anything. It shows where coverage already exists and where it does not. The real work still sits in control design, evidence discipline, and keeping the mapping current as systems and vendors change.

A spreadsheet built once and never touched again becomes an audit liability, not an asset. For a structured starting point, a thorough SOC 2 to ISO 27001 gap analysis will surface those liabilities before an auditor does.

 

SOC 2 Trust Services Criteria: An Overview

SOC 2 is an attestation framework from the American Institute of Certified Public Accountants (AICPA). It is built on five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only mandatory category, and every SOC 2 report includes it.

The Security category is evaluated through the Common Criteria, written as CC1 through CC9, containing 32 individual criteria in total. CC1 through CC5 cover the control environment, communication, risk assessment, monitoring, and control activities, and they align directly with the COSO internal control framework. CC6 through CC9 are more technology-specific, covering logical and physical access, system operations, change management, and risk mitigation.

A SOC 2 audit produces one of two report types. A Type 1 report assesses control design at a single point in time. A Type 2 report assesses both design and operating effectiveness across an observation window, usually 3 to 12 months. A licensed CPA firm issues the report. SOC 2 is an attestation, not a certification, and there is no such thing as a SOC 2 certificate.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

ISO 27001 Annex A Controls: An Overview

ISO/IEC 27001 is the international standard for an information security management system, or ISMS. The current version, ISO 27001:2022, has two distinct layers, and the distinction matters for any mapping effort.

Clauses 4 through 10 define the management system itself: organizational context, leadership, planning, risk treatment, support, operations, performance evaluation, and improvement. These clauses are mandatory. Annex A is the second layer, a reference catalogue of 93 controls grouped into four themes: Organizational (37 controls), People (8), Physical (14), and Technological (34). The 2022 revision consolidated the previous 114 controls and 14 domains and added 11 new controls covering areas such as threat intelligence and cloud security.

Annex A controls are not all mandatory. Organizations select controls based on a risk assessment and record their choices, including any exclusions and the reasoning behind them, in a Statement of Applicability. Certification is granted by an accredited body, lasts three years, and requires annual surveillance audits. Learn more about what the full certification process involves.

 

Key Structural Differences That Affect Mapping

The two frameworks share a large security foundation, but they are built differently, and a mapping that ignores the structural gaps will fail. Understanding ISO 27001 vs SOC 2 at a structural level is the prerequisite for any mapping work worth doing. Four differences matter most.

ISO 27001 certifies a management system, while SOC 2 attests to a set of controls. ISO Clauses 4 through 10 have no direct SOC 2 equivalent, because SOC 2 never asks you to prove you run a continuous, governed program; it asks only whether specific controls met specific criteria during the review period.

Scope differs too. An ISO 27001 ISMS is expected to cover the organization broadly, while SOC 2 scope is set at the level of a system or service. The outputs differ as well: ISO produces a pass or fail certificate, whereas a SOC 2 report can carry noted exceptions or a qualified opinion and still be a valid, useful report. And because SOC 2 Type 2 tests evidence across a defined window, a control that worked only on audit day will not pass.

The most common mapping mistake is treating ISO 27001 as SOC 2 plus a few extra controls. It is not.

The Annex A controls map cleanly, but the ISMS management clauses, including internal audit, management review, and continual improvement, are a separate body of work with no SOC 2 starting point. Budget for them as net-new.

 

SOC 2 Common Criteria to ISO 27001 Control Mapping

The Common Criteria map to ISO 27001 with a high degree of overlap. The table below is a practical starting crosswalk for the CC series. It lists the primary ISO 27001 references rather than every possible match, and your auditor’s judgment will shape the final mapping.

SOC 2 Common Criteria

Topic

Primary ISO 27001:2022 References

CC1

Control Environment

Clauses 5 (Leadership), 6 (Planning), A.5.1, A.5.2, A.6.1–A.6.4

CC2

Communication and Information

Clause 7.4 (Communication), A.5.1, A.6.3, A.8.2

CC3

Risk Assessment

Clause 6.1 (Risk Assessment), A.5.7, A.8.8

CC4

Monitoring Activities

Clause 9 (Performance Evaluation), A.5.35, A.5.36, A.8.16

CC5

Control Activities

Clause 6.1.3 (Risk Treatment), A.5.37, A.8.9

CC6

Logical and Physical Access

A.5.15–A.5.18, A.5.31, A.7.1–A.7.4, A.8.2–A.8.5, A.8.18

CC7

System Operations and Incident Response

A.5.24–A.5.28, A.8.15, A.8.16

CC8

Change Management

A.8.32

CC9

Risk Mitigation and Vendor Management

A.5.19–A.5.23, A.6.7, A.8.30

The AICPA publishes an official mapping of the Trust Services Criteria to ISO 27001, and it is a reasonable reference point. Treat any published crosswalk as a draft, though. No mapping survives contact with a real environment unchanged, because how a control is tested depends on how your organization actually operates it.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

SOC 2 Additional Categories Mapped to ISO 27001

If your SOC 2 scope includes categories beyond Security, those map to Annex A as well, though less tidily than the Common Criteria do.

Availability lines up with the ISO controls for backup (A.8.13), redundancy (A.8.14), capacity management (A.8.6), and ICT readiness for business continuity (A.5.30).

Confidentiality maps to information classification (A.5.12), labelling (A.5.13), cryptography (A.8.24), and information deletion (A.8.10).

Processing Integrity is the weakest fit. It relates loosely to the secure development controls A.8.25 through A.8.29, but ISO 27001 has no control dedicated to transaction completeness and accuracy, as SOC 2 does.

Privacy maps partially to A.5.34, which covers privacy and protection of personally identifiable information, but the genuine counterpart is ISO/IEC 27701, the privacy extension to ISO 27001. Organizations serious about privacy assurance usually pursue 27701 alongside the base certification rather than leaning on a single Annex A control.

 

Control Areas With Strong Overlap Between SOC 2 and ISO 27001

Several domains map so cleanly that one well-designed control satisfies both frameworks at once, and these are the areas where a dual-framework program pays for itself fastest.

Access control is the clearest case.

SOC 2’s CC6 and ISO’s A.5.15 through A.8.5 cover the same ground: least privilege, multi-factor authentication, access reviews, and credential management. A single access control policy and one quarterly review process will serve both audits. Incident response overlaps just as well, with CC7 aligning to ISO’s A.5.24 through A.5.28, so one incident response plan with defined roles and tested playbooks covers both frameworks simultaneously.

Change management maps CC8 to A.8.32.

Vendor and third-party risk maps CC9 to the supplier controls in A.5.19 through A.5.23. Data backup and recovery maps the Availability criteria to A.8.13 and A.8.14. Physical security maps the physical elements of CC6 to the A.7 control family. In each of these areas, the work is to design the control once and produce evidence that both auditors will accept.

Pro Tip: Two frameworks with Different Frequencies

Where the two frameworks set different frequencies for the same control, default to the stricter one. If ISO 27001 expects quarterly access reviews and your SOC 2 controls only specified annual reviews, run them quarterly. One piece of evidence then satisfies both auditors, and you never have to explain a mismatch in a control narrative.

Control Gaps: Where SOC 2 and ISO 27001 Diverge

Controls Unique to ISO 27001 Not Covered by SOC 2

The biggest gap is the management system itself. ISO 27001 Clauses 4 through 10 require a documented ISMS scope, a formal risk treatment plan, an internal audit program, a management review process, and a continual improvement cycle based on Plan-Do-Check-Act. SOC 2 touches none of this directly.

The Statement of Applicability has no SOC 2 equivalent, and neither does the formal tracking of nonconformities. For a team arriving from SOC 2, this management layer is where most of the genuine new effort goes.

SOC 2 Requirements Not Addressed by ISO 27001

The gap runs in the other direction, too. SOC 2 evaluates controls against the system commitments described in the report, and a Type 2 engagement tests evidence across a continuous observation window. ISO 27001 has no comparable concept of a multi-month evidence period or a detailed, customer-facing report that describes your system.

SOC 2’s point-of-focus testing is also more granular in places, and its Processing Integrity category has no clean ISO home. An ISO certificate, on its own, does not produce the detailed control narrative that US enterprise buyers often expect to review.

 

Why Map SOC 2 Controls to ISO 27001?

The case for mapping comes down to three concrete returns, and they compound over time.

It reduces audit fatigue and overhead. Teams that build a unified control set and map it to both frameworks consistently spend far less on the second framework than teams running two separate projects. One policy library, one evidence cadence, and one remediation backlog replace two of everything.

A well-maintained SOC 2 compliance checklist that is also cross-referenced against ISO requirements is a practical way to keep that single-source discipline in place day to day.

It strengthens your security posture. Mapping forces you to reconcile two views of the same risks. SOC 2 frames controls around service commitments, while ISO 27001 frames them around information assets and a formal risk assessment. Reconciling the two surfaces gaps that either framework alone would miss, and gaps that auditors and attackers both find.

It meets multiple market requirements at once. US enterprise buyers generally expect SOC 2. European and international customers, along with a growing number of large procurement teams, expect ISO 27001. Microsoft, for one, stopped accepting SOC 2 security reports as sufficient evidence for its supplier program after 2021. Holding both removes the framework question from your sales cycle entirely.

SOC 2 to ISO 27001 Gap Analysis

How to Conduct a SOC 2 to ISO 27001 Gap Analysis

Step 1: Inventory Existing SOC 2 Controls

Start with a complete list of the controls already operating under your SOC 2 program, each recorded with its owner, its frequency, and the evidence it produces. This inventory is the raw material for everything that follows, so it needs to reflect reality rather than the control descriptions in last year’s report. Controls that exist on paper but are not actually being operated will fail ISO testing just as quickly as they would fail a SOC 2 Type 2 review.

Step 2: Align Risk Assessment Processes Across Both Frameworks

SOC 2 expects risks to be assessed and mitigated. ISO 27001 goes further, requiring a documented, repeatable risk assessment methodology and a risk treatment plan tied to the Statement of Applicability. The practical answer is to run one unified risk assessment in a single register that addresses both threats to information assets and risks to your service criteria, rather than maintaining two registers that inevitably drift out of sync.

Step 3: Identify Overlapping and Conflicting Documentation

Compare policies side by side. Where two documents cover the same ground, consolidate them into one. Where they conflict, whether on review frequencies, definitions, or scope, resolve the conflict before an auditor finds it. Conflicting documentation is one of the fastest ways to draw a finding, because it raises the obvious question of which version staff are actually following.

Step 4: Address Scoping Misalignments

SOC 2 scope is set at the system level, while an ISO 27001 ISMS is expected to be broader. Decide deliberately what the ISMS covers and confirm it is consistent with what your SOC 2 report describes. Mismatched scope is one of the most heavily scrutinized issues in an ISO certification audit, and it is also one of the common pitfalls that derails otherwise well-prepared teams.

Step 5: Build a Unified Control Set

Produce a single control catalogue in which each control is defined once, mapped to both frameworks, assigned an owner, and written at a level that stays stable as systems change. This catalogue, not the original mapping spreadsheet, is the durable output of the whole exercise. Everything else feeds into it and is governed by it going forward.

Reach SOC 2 Compliance in 6 Weeks or Less

Schedule Your Free SOC 2 Assessment Today

Best Practices for Successful SOC 2 to ISO 27001 Mapping

Use a Unified Control Framework as Your Foundation

Define each control once, map it to both frameworks, and treat that catalogue as the single source of truth. Separate per-framework spreadsheets drift apart within a quarter, and reconciling them later costs more in time and rework than building the unified version correctly from the start. Reference frameworks like NIST CSF can serve as a neutral backbone that maps to both SOC 2 and ISO 27001, which is particularly useful for organizations that anticipate adding more frameworks in the future.

Automate Compliance Audits Where Possible

Manually collecting and tagging the same evidence for two audits is where both time and accuracy leak. Tag each piece of evidence with every control it supports, across both frameworks, so it is collected once and reused. Automated, time-stamped evidence is also more convincing to an auditor than a manually assembled folder.

Automate compliance audits using purpose-built tools and you eliminate a category of error that manual processes cannot reliably prevent. Pair automation with continuous monitoring and your evidence library stays current between audits rather than being assembled in a panic the week before fieldwork begins.

Regularly Update Your Mapping as Standards Evolve

Frameworks change, as the 2022 ISO revision demonstrated, and so do your systems and vendors. Review the crosswalk on a schedule and whenever you add a system, adopt a new cloud service, or change a core process.

A mapping left static between audits tends to be quietly wrong by the time anyone needs it, and the auditor will find the discrepancies before you do.

Involve Cross-Functional Stakeholders in the Mapping Process

Mapping is not a job for one compliance manager working alone. Control owners in engineering, IT, human resources, and legal need to confirm that the mapped controls reflect how work actually happens. A crosswalk owned by one person and never seen by the people who run the controls is the version auditors quietly take apart. The people closest to the systems know where the documentation does not match the practice, and that knowledge needs to be in the crosswalk before the audit, not discovered during it.

Common Pitfalls When Mapping SOC 2 to ISO 27001

Scoping misalignment is the most frequent failure. A narrow SOC 2 system boundary quietly becomes the assumed ISMS scope, and the ISO auditor pushes back hard.

Duplicate and conflicting documentation is close behind: two access policies, two incident response plans, slightly different in wording and both technically in force, with no clear authority on which one governs.

Overlooking third-party risk catches teams that treated vendor management lightly under SOC 2, since ISO’s supplier controls in A.5.19 through A.5.23 expect a more structured and documented program. And many teams fail to account for the continual improvement obligation, mapping the Annex A controls cleanly while forgetting that ISO’s internal audit and management review requirements are ongoing rather than one-time tasks.

Reviewing the full list of common pitfalls before you start the mapping effort is time well spent.

Auditors test evidence, not intent. A flawless crosswalk spreadsheet proves nothing on its own. What an ISO 27001 auditor wants to see is the management review minutes, the internal audit reports, and the nonconformity log, artifacts that only exist if the ISMS has actually been running for a few months. Start those processes early, well before you feel ready, so the evidence trail exists when the audit arrives.

Frequently Asked Questions

Does SOC 2 to ISO 27001 mapping guarantee compliance with both frameworks?

No. Mapping shows where control coverage overlaps and where gaps remain. Compliance still depends on designing the controls properly, operating them consistently, and producing evidence that satisfies each auditor. A crosswalk is a planning tool, not a substitute for the work itself.

Industry estimates generally place the control overlap between 60 and 80 percent, concentrated in access control, risk management, incident response, and change management.

The overlap is high enough that the second framework should never be a full rebuild, but it is not complete, because the ISO management system clauses have no SOC 2 equivalent and must be built from scratch regardless of where you are starting from.

Often, yes. A large share of SOC 2 evidence, including access reviews, change tickets, vulnerability scans, and training records, directly supports ISO 27001 Annex A controls.

The catch is that ISO also requires evidence SOC 2 never asks for, such as internal audit reports and management review records, which must be generated separately and cannot be substituted.

Treat it as a living document. Review it at least once a year, and also whenever you add a major system, adopt a new cloud service, change a core process, or when either framework is revised. A mapping that sits untouched between audits is almost certainly inaccurate by the time it is needed.

It depends on your customers. If your buyers are mostly US-based, starting with SOC 2 is common practice. If you sell internationally or need a recognized certificate, starting with ISO 27001 builds the broader management system foundation and tends to make the subsequent SOC 2 faster. Either order works.

What matters is building one security program rather than two. A good SOC 2 guide can help you assess which starting point makes the most sense for your current market and customer base.

For most organizations, ISO 27001 takes more time and effort on the first attempt, mainly because of the management system requirements. SOC 2 has no equivalent to the ISMS clauses, the Statement of Applicability, or the internal audit and management review cycle.

The controls themselves are comparable in difficulty. It is the surrounding management system that makes ISO 27001 the heavier lift, and the reason why arriving from SOC 2, with your control library already built, gives you a meaningful head start.

Axipro Author

Picture of Pedro Dias

Pedro Dias

Pedro has been writing online for over 10 years. With experience in all things programming, cyber security, and compliance, he is our editor-in-chief at Axipro.

Blog Highlights

Explore More Articles

Vanta Implementation Checklist

Most companies configure Vanta backwards. They connect integrations first, watch tests turn green, and only then ask which framework they are actually being audited against. By the time the auditor asks for the observation window start date, half the account needs to be rebuilt. The order you set things up in Vanta matters almost as much as what you set up, and getting it wrong costs weeks you do not have before a first audit. This checklist walks through the sequence that actually holds up under audit: the decisions to make before you touch the platform, the sequence of configuration inside it, and the final readiness checks before you hand the account to an auditor. Why a Vanta Implementation Checklist Matters Before Your First Audit Vanta is compliance automation software, not a compliance program. It monitors, syncs, and flags. It does not decide your scope, pick your framework, or tell you when your observation window can safely begin. Those calls are yours, and if you make them after connecting integrations rather than before, you end up rescoping mid-implementation, which resets test history and pushes your audit timeline back by weeks. A first-time implementation typically runs six to twelve weeks from account creation to a fully passing test suite, depending on how much of the underlying control environment already existed. Companies that skip the pre-implementation planning stage and jump straight into connecting AWS and Okta tend to discover, three weeks in, that half their integrations are out of scope, their policies do not match their actual operations, and their observation window needs to restart. Ready for your first audit? Get audit-ready with expert Vanta implementation support. Schedule Pre-Implementation: Foundational Decisions to Make First Define Your Target Framework (e.g., SOC 2, ISO 27001, HIPAA) Every downstream Vanta setting, from which integrations you connect to which policies you publish, depends on the framework you are pursuing. SOC 2 Type II evaluates your controls against the AICPA’s five Trust Services Criteria, security, availability, processing integrity, confidentiality, and privacy, with security as the only mandatory category. ISO 27001 asks you to build a full Information Security Management System (ISMS) under a structured set of clauses, backed by a broader set of technical, physical, and organizational controls in Annex A. HIPAA and PCI DSS bring their own control sets tied to specific data types, protected health information and cardholder data, respectively. If your customers are asking for a specific report, let that drive the decision rather than defaulting to whichever framework has the most templates in Vanta’s library. A fintech company with enterprise banking customers may need SOC 2 first and PCI DSS second. A healthcare SaaS vendor almost always needs HIPAA regardless of what else it pursues. Mapping frameworks to actual customer and contractual requirements before configuration saves you from scoping controls you will never use. Important: Choosing multiple frameworks at once is common, but sequencing them wrong creates duplicate work. Configure your primary framework fully, get through a full observation cycle if pursuing Type II, and add secondary frameworks once your evidence collection habits are established. Vanta will map shared controls across frameworks automatically, but only once both are active in the account. Set Your Audit Timeline and Observation Window If you are pursuing SOC 2 Type I, there is no observation window. The audit evaluates whether your controls are designed correctly as of a single point in time, and you can move to audit as soon as your tests pass. SOC 2 Type II is different: the observation window, also called the audit window or monitoring period, is the span during which the auditor samples evidence to confirm your controls actually operated, not just that they existed on paper. For a first Type II audit, a three to six month window is standard. Mature organizations settling into an annual cadence typically move to a full twelve-month window once they have proven consistent operation. Do not start the observation window until you are confident your controls are actually running as designed. Auditors can sample any event from the first day of the window forward, and a control failure in week two of a six-month window is just as damaging to your report as one in week twenty. This is the single most common timeline mistake first-time customers make in Vanta: they start the clock the day they finish connecting integrations, before policies are published, before HR sync is confirmed, and before access reviews have actually happened once. Identify Internal Owners and Stakeholders Every control needs a named owner inside Vanta, not a department. “Engineering” is not a control owner. The engineering manager who reviews production access quarterly is. Before you start configuring, map out who owns identity and access management, who owns vendor risk, who owns HR onboarding and offboarding, and who owns policy publication and employee acknowledgment. If your organization is small enough that one person wears several of these hats, that is fine, but it needs to be explicit in the tool, because Vanta’s task assignments and reminder emails route based on these ownership fields. Choose Your Auditor Before You Configure Vanta Auditor selection affects configuration choices that are expensive to reverse. Different CPA firms and ISO certification bodies have different tolerances for exceptions, different expectations around evidence formatting, and different preferences on how granular your control mapping should be. Get your auditor engaged, or at minimum shortlisted, before you finalize your framework scope and observation window in Vanta. Some firms will do a pre-audit readiness call that surfaces scoping issues Vanta’s automated checks will not catch, like whether a particular subprocessor needs to be in scope. Step 1: Configure Company Settings in Vanta Add Company Details and Business Information Start with the basics: legal entity name, headquarters address, description of the service you provide, and the systems that process customer data. This becomes the backbone of your system description, the narrative document that accompanies your SOC 2 report and explains what your company does and how the in-scope systems support

ISO 27001 Business Continuity Plan

Two controls decide whether your ISO 27001 business continuity plan survives an audit: Annex A 5.29 and Annex A 5.30. One keeps your security controls working while everything else is failing. The other gets your systems back online before the damage becomes permanent. Plenty of teams write a continuity policy that satisfies neither in the way a certification auditor expects, and they discover the gap during the Stage 2 audit, when it is expensive to fix. This article covers what ISO 27001:2022 actually requires for business continuity, the components an auditor will ask to see, the step-by-step build, and the mistakes that turn a continuity plan into a non-conformity. What Is an ISO 27001 Business Continuity Plan? An ISO 27001 business continuity plan is the documented set of procedures that keeps information security effective and critical ICT services available during a disruption. It is not a generic “keep the lights on” binder. Under ISO 27001, the plan protects the confidentiality, integrity, and availability of information when normal operations break down: a ransomware event, a cloud outage, a data center failure, or a supplier collapse. The plan lives inside your Information Security Management System (ISMS). It draws on your risk assessment, your asset register, and your Business Impact Analysis (BIA), and it feeds your disaster recovery procedures. Scope is the part people get wrong. ISO 27001 cares about the information security aspects of continuity, not every operational hiccup a full business continuity program might cover.   Why You Need a Business Continuity Plan for ISO 27001 Compliance Downtime is expensive, and the bill arrives fast. For most organizations, the question is not whether a disruption will happen, but how quickly they recover when it does. There is also a hard compliance reason. You cannot certify to ISO 27001 while ignoring continuity. The standard requires you to maintain information security during disruption and to keep ICT able to support recovery, and an auditor will ask for the evidence. A continuity plan is where availability stops being a promise and becomes a tested capability. Let Axipro help you build a business continuity plan that’s practical, compliant, and audit-ready. Strengthen Your Business Continuity Strategy Schedule A Consultation ISO 27001 Requirements Related to Business Continuity Planning ISO/IEC 27001:2022 carries 93 Annex A controls across four categories: organizational, people, physical, and technological. Continuity sits in the organizational set, and two controls do the heavy lifting, supported by two more on the technical side. Annex A 5.29 – Information Security During Disruption A.5.29 requires you to maintain information security at an appropriate level when a disruption hits. The point is that security controls have a habit of degrading under pressure. People disable multi-factor authentication to “speed things up,” logging stops on a failover system, or access controls loosen while everyone scrambles. A.5.29 says the confidentiality and integrity of your information must be maintained even while availability is under threat. It is classed as both a preventive and a corrective control, meaning it should reduce the chance of an incident and also help resolve one already underway. Annex A 5.30 – ICT Readiness for Business Continuity A.5.30 is the technical engine. It requires that your ICT readiness is planned, implemented, maintained, and tested against business continuity objectives and ICT continuity requirements. In plain terms, your servers, networks, applications, and cloud services need a defined recovery path, each with a Recovery Time Objective (RTO) and Recovery Point Objective (RPO), and you need to prove the path works. This control is entirely new in the 2022 revision. It has no precedent in ISO 27001:2013, which is exactly why teams migrating from the older version so often have a gap here. Important: A.5.30 did not exist in ISO 27001:2013. If your continuity documentation was written against the old Annex A 17 cluster and never updated, you are missing a control the auditor will specifically test. Treat ICT readiness as a fresh requirement, not a relabel. Two technological controls back these up. Annex A 8.13 (Information Backup) requires backups to be taken and tested in line with an agreed policy, and Annex A 8.14 (Redundancy of Information Processing Facilities) covers the failover and redundancy that let critical systems keep running when a component dies. Relationship Between ISO 27001 and ISO 22301 This is where confusion is common. ISO 27001 requires the information security aspects of continuity. ISO 22301 is the dedicated standard for a full Business Continuity Management System (BCMS), covering people, facilities, supply chain, and operations far beyond information security. An ISO 27001 certificate does not certify your wider continuity program. The good news: both standards share the Annex SL high-level structure, so risk assessment, internal audit, management review, and document control carry across. Teams that already run ISO 27001 can layer ISO 22301 on top with far less effort than starting from scratch. Key Components of an ISO 27001 Business Continuity Plan Business Impact Analysis (BIA) The BIA is the foundation. It identifies your critical business processes, the ICT systems they depend on, and the cost of losing each one over time. It is where your recovery objectives come from, not from a vendor datasheet. A BIA also sets the Maximum Tolerable Period of Disruption (MTPD): the point beyond which an activity’s failure causes unacceptable damage. Risk and Disruption Scenario Assessment Your risk assessment identifies what could cause a disruption and how likely it is, feeding the Risk Treatment Plan and the Statement of Applicability (SoA) that records which controls apply. Continuity planning then runs concrete scenarios: ransomware, a regional outage, a key supplier failure, the loss of a data center. Response and Recovery Strategies For each critical system, you define how you will respond and recover: failover to a secondary site, restore from backup, or switch to a manual workaround. This links incident response to crisis management, the executive-level decision-making that kicks in when an incident escalates beyond a routine fix. Roles and Responsibilities Name real people, not departments. “IT will handle it” is the single most common

When researchers found that Microsoft 365 Copilot could be tricked into leaking corporate data from a single email, the flaw got a clean public identifier: CVE-2025-32711, severity 9.3. When a bug hunter coaxed ChatGPT into producing valid Windows product keys by framing the request as a guessing game, it got nothing.  Both were prompt injections. Only one is trackable. That Vulnerability Tracking Gap in AI Security, and what it costs defenders, is the subject of this article. What Is a CVE and Why Does It Matter for Software Security? A CVE (Common Vulnerabilities and Exposures) is a unique public identifier for a specific software flaw. It gives the whole industry one name for one bug, so a researcher in Berlin and an analyst in Bahrain know they mean the same thing. The Role of MITRE’s CVE Program in Traditional Vulnerability Management The CVE program is run by the MITRE Corporation, a US nonprofit. Since 1999 it has assigned hundreds of thousands of IDs, each tied to a discrete, reproducible defect in a defined product and version. A CVE is the connective tissue of coordinated disclosure: a researcher reports the flaw, the vendor patches it, the ID is published, and defenders map it to their own assets. Without that shared label, the same bug ends up with three names and no clear owner. The National Vulnerability Database (NVD) and CVSS Scoring The National Vulnerability Database, maintained by NIST, enriches each CVE with a CVSS (Common Vulnerability Scoring System) score from 0 to 10. That lets teams triage: a 9.3 jumps the queue, a 4.0 waits. Why Prompt Injection Breaks the Traditional CVE Model The CVE model assumes a bug lives in code, sits in a version, and can be fixed. Prompt injection violates all three. Prompt Injection as a Class of Attack, Not a Discrete Bug Prompt injection smuggles instructions into the data an LLM reads, so the model follows the attacker rather than the user. OWASP ranks it as LLM01, the top entry in its 2025 Top 10 for LLM Applications. It is a property of how language models work, not one line of faulty code, so you cannot file a CVE against it. A SQL injection either works or it does not. A prompt injection might succeed nine times in ten, fail on the eleventh, then stop working after a silent model update, which makes the “reproducible” part of reporting genuinely hard. Model Versioning vs. Software Versioning Software has clean version numbers. A weight update to a hosted model can ship silently, with no version a researcher can cite. Two calls to “gpt-4o” a week apart may not behave the same way, and there is no changelog to point at. Why “Patching” an LLM Differs From Patching Code Patching code closes a specific hole. A developer rewrites the faulty line, ships the diff, and the exploit path is gone for good. That clean, binary, auditable loop is the entire premise on which the CVE system rests. “Patching” a model offers none of it. There is no single line to fix, because the behavior the attacker abused is the same behavior that makes the model useful: it reads text and follows instructions. A vendor’s only levers, retraining, hardening the system prompt, or wrapping the model in input and output guardrails, all lower the odds of a successful attack rather than removing the possibility. The fix reduces the success rate from 80 percent to 5 percent and marks it as remediated. The hole is narrower, not closed. The recent record shows how thin that margin is. EchoLeak got past Microsoft’s dedicated cross-prompt-injection classifier by hiding its exfiltration channel in reference-style Markdown that the filter did not recognize, and the AgentFlayer exploit slipped through OpenAI’s URL safety check by routing stolen data through trusted Azure Blob Storage links. Each guardrail worked against the obvious version of the attack and fell to a rephrasing. There is a tuning tax on top of that: crank the filters too tight and the model starts refusing legitimate work, so vendors settle for a balance point rather than elimination.  The practical takeaway is to treat “we’ve addressed this” as risk reduction, not closure. SOC 2, ISO 27001 and HIPAA done for you. Fixed fee, 100% audit pass rate. Audit-ready in 6 weeks. Not 6 months. Schedule A Free ASSESSMENT The Current State of AI Vulnerability Tracking Several frameworks exist. None is a true registry of individual, citable prompt injection vulnerabilities. OWASP LLM Top 10 and the LLM01 Classification The OWASP GenAI Security Project’s LLM01:2025 entry is the most cited reference point. It is a category, not a catalog: it does not enumerate specific incidents with IDs. MITRE ATLAS for Adversarial AI Threats MITRE ATLAS is an ATT&CK-style knowledge base of adversarial tactics against AI systems, documenting 16 tactics and more than 80 techniques with real-world case studies as of late 2025. It maps how attacks work, but is not a per-vulnerability ledger with scores. AVID (AI Vulnerability Database) and Its Limitations AVID, run by a nonprofit, is the closest thing to a dedicated AI vulnerability database, cataloging failure modes with reproducible evidence. But it leans on community submissions, skews toward bias and broader failure modes, and notes that the definition of an “AI vulnerability” is itself still a working one. Vendor-Specific Disclosures vs. Industry-Wide Registries Disclosure happens vendor by vendor. OpenAI patched the Windows-key jailbreak server-side; Microsoft fixed EchoLeak and issued a CVE. There is no common venue where these land side by side.   The Consequences of No Shared Threat Registry for Prompt Injection Fragmented Disclosure Across AI Vendors Each lab discloses on its own terms, on its own blog, if at all. A defender protecting a multi-model stack has to monitor a dozen channels and hope nothing slips by. Duplicate Discovery and Wasted Research Effort Researchers rediscover the same attack repeatedly. The guessing-game jailbreak, the “dead grandma” trick, and other framing attacks are variations on one theme nobody numbered. No Standardized Severity Scoring for