SOC 2 (TSC), ISO/IEC 27001:2022, and PCI DSS 4.0 mapped against a single unified control set — so the work you do for one auditor pays out across all three. We focus on whether the controls actually defend the business, not just whether the binder is thick.
A representative slice of how the major frameworks overlap when you're looking at them from a control perspective rather than a checklist perspective.
| Domain | SOC 2 (TSC) | ISO 27001:2022 (Annex A) | PCI DSS 4.0 | Representative Evidence |
|---|---|---|---|---|
| Access Control | CC6.1 / CC6.2 |
A.5.15 / A.8.2 / A.8.3 |
Req. 7 / 8 |
IAM roles, MFA enforcement, JML evidence |
| Physical & Environmental | CC6.4 |
A.7.2 / A.7.4 / A.8.25 |
Req. 9 |
Biometrics, mantrap, CCTV, UPS / generator logs |
| System Operations | CC7.1 / CC7.2 |
A.8.15 / A.8.16 |
Req. 10 |
SIEM correlation, 24/7 NOC tickets, log retention |
| Change Management | CC8.1 |
A.8.32 |
Req. 6 |
Pull-request approvals, CAB minutes, rollback plans |
| Cryptography | CC6.7 |
A.8.24 |
Req. 3 / 4 |
HSM/KMS configs, TLS profiles, key rotation logs |
| Vulnerability Mgmt | CC7.1 |
A.8.8 |
Req. 11 |
Scan cadence, ASV reports, remediation SLAs |
| Incident Response | CC7.3 / CC7.4 |
A.5.24 — A.5.28 |
Req. 12.10 |
IR runbooks, tabletop minutes, post-mortems |
| Vendor / TPRM | CC9.2 |
A.5.19 — A.5.22 |
Req. 12.8 |
Vendor inventory, SOC 2s on file, DPAs |
| Asset Mgmt & Disposal | CC6.5 |
A.5.9 / A.8.10 |
Req. 9.4 |
CMDB extracts, certificates of destruction |
Illustrative mapping. Final mapping depends on auditor opinion, system boundary, and applicable inclusions / exclusions.
SOC 2 reports against the AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). It's the de-facto US B2B trust artifact. We help you choose the right TSCs for your story, scope the boundary defensibly, and avoid the classic over-scoping trap that turns a 6-month report into an 18-month one.
A SOC 2 readiness package that makes the auditor's job small.
The 2022 revision restructured Annex A from 14 categories into 4 themes (Organizational, People, Physical, Technological), trimmed to 93 controls, and added 11 new ones. The transition window from 27001:2013 closed in October 2025, so 2022-only is the only option going forward.
Most ISO certifications fail their first surveillance audit because the ISMS exists on paper but not in the company's habits. We build (or retrofit) yours so leadership reviews, internal audits, risk reviews, and control owners all reinforce each other on a real cadence — not a calendar fire-drill.
PCI DSS 4.0.1 is now mandatory for all assessments, and the future-dated "best practice" requirements have transitioned to in-effect. The biggest shift isn't a single requirement — it's that 4.0 lets mature programs use a Customized Approach with documented Targeted Risk Analyses (TRAs), instead of brute-force defined-approach checkboxes.
Designed to surface material issues before the official look-back window opens — not after.
Week 1. Stakeholder alignment, prior audit reports, system boundary, applicable framework version, and explicit inclusions / exclusions documented. Everything starts here.
Weeks 2–3. We work the actual evidence, not the policy library. SME interviews with control owners, evidence sampling, and a gap matrix mapped to your frameworks of record.
Week 4. Tactical site / system assessment focused on the highest-risk controls. Deliverable: unified control map + red-flag report with ranked remediation paths and owners.
Not a substitute for a formal audit with random sampling and evidence generation. The intent is overall completeness, stability, and audit-readiness — surface issues now, while you can still fix them.