Compliance Controls Overlap: How SOC 2, ISO 27001, HIPAA, and GDPR Share 60% of Their Controls
The compliance controls overlap across SOC 2, ISO 27001, HIPAA, and GDPR is not a marketing claim. It is a measurable property backed by cross-framework mappings published by AICPA, NIST, the Cloud Security Alliance, and the Secure Controls Framework. Running four separate compliance programs when the underlying control work is 60 to 70 percent shared is a self-inflicted operational tax.
This brief maps the overlap and cites the authoritative mappings that back each claim. For the framework-by-framework selection logic, see the compliance framework guide. For the sequenced multi-framework program, see the SaaS compliance stack.
Why the Overlap Matters
The financial argument is straightforward. A greenfield SOC 2 program takes six to nine months and costs a Series B SaaS company somewhere between 75,000 and 200,000 dollars in consulting, tooling, and audit fees. A greenfield ISO 27001 program of the same scope is comparable. A greenfield HIPAA program adds another 40,000 to 100,000 dollars of readiness and ongoing operating cost. Run them sequentially and you spend 18 months and 250,000 to 500,000 dollars building substantially the same control environment three times over.
Run them as one combined program with a shared foundation and framework-specific overlays, and the same portfolio ships in 6 to 9 months at roughly 130,000 to 260,000 dollars. The savings are the difference between shipping and stalling.
Time matters more than money. Every quarter a compliance program is not certified is a quarter of enterprise deals routed to a certified competitor.
What "60% Overlap" Actually Means
The 60 to 70 percent overlap figure comes from three independent sources.
AICPA Trust Services Criteria to ISO 27001:2022 mapping. Published free by AICPA. Maps each SOC 2 Common Criteria (CC1 through CC9) to corresponding ISO 27001 Annex A controls in the 2022 revision. The overlap on Security Trust Services Category alone is approximately 65 percent of underlying controls.
Cloud Security Alliance Cloud Controls Matrix v4. Cross-maps 197 controls to SOC 2, ISO 27001, HIPAA, PCI-DSS, GDPR, and other frameworks. The proportion of CCM controls that satisfy at least three of these frameworks simultaneously is approximately 60 percent.
Secure Controls Framework (SCF). Open-source meta-framework mapping 1,000+ controls to 100+ laws and standards. SCF's aggregate overlap analysis for SOC 2 + ISO 27001 + HIPAA + GDPR consistently sits in the 55 to 70 percent range depending on scoping choices.
The overlap is real. It is not marketing.
Shared Control Domains
Both security frameworks (SOC 2, ISO 27001, HIPAA Security Rule) and privacy-adjacent security (GDPR Article 32) share the same underlying operational practices, described with different vocabulary.
Access Control
- SOC 2 CC6.1 — logical access restricted to authorized users
- ISO 27001 A.5.15, A.5.17, A.5.18, A.8.2, A.8.3 — access management and privileged access rights
- HIPAA 164.312(a)(1) and 164.312(d) — access control and person or entity authentication
- GDPR Article 32(1)(b) — access to personal data restricted to persons who need it
Implementation: identity provider with SSO and MFA, role-based access control, quarterly access reviews, automatic session timeout, offboarding tied to HR events. One implementation satisfies all four.
Encryption
- SOC 2 CC6.7 — encryption of sensitive data in transit and at rest (for Security or Confidentiality Trust Services Category)
- ISO 27001 A.8.24 — use of cryptography
- HIPAA 164.312(a)(2)(iv) and 164.312(e)(2)(ii) — encryption addressable specifications for PHI
- GDPR Article 32(1)(a) — pseudonymization and encryption of personal data
Implementation: TLS 1.2 or higher in transit, AES-256 at rest. Standard covers all four.
Audit Logging and Monitoring
- SOC 2 CC7.2 — system components monitored to identify anomalies
- ISO 27001 A.8.15, A.8.16 — logging and monitoring activities
- HIPAA 164.312(b) — audit controls that record and examine activity in information systems containing PHI
- GDPR Article 32(1)(d) — regular testing of effectiveness of measures
Implementation: centralized log aggregation, retention (six-year minimum for HIPAA-adjacent logs), alerting on privileged access and sensitive-data-adjacent events. One log platform, one retention policy, four satisfied requirements.
Incident Response
- SOC 2 CC7.3, CC7.4 — incident identification and response
- ISO 27001 A.5.24 through A.5.28 — information security incident management
- HIPAA 164.308(a)(6) — security incident procedures
- GDPR Article 33, Article 34 — breach notification obligations
Implementation: documented IR runbook, tabletop exercises, notification workflows sized to the tightest requirement (GDPR 72-hour supervisory authority notification and HIPAA 60-day HHS OCR notification for 500+ breaches). One runbook covers all four.
Workforce Training
- SOC 2 CC1.4 — competent individuals attracted, developed, and retained
- ISO 27001 A.6.3 — information security awareness, education, and training
- HIPAA 164.308(a)(5) — security awareness and training program
- GDPR Article 32 and Article 29 — training of persons who process data on instruction
Implementation: annual training on data handling, phishing awareness, and role-specific security practices. Documented completion records satisfy all four.
Vendor Management
- SOC 2 CC9.2 — selection and monitoring of vendors
- ISO 27001 A.5.19 through A.5.23 — supplier relationships and monitoring
- HIPAA 164.308(b) and 164.314(a) — Business Associate Agreements and requirements
- GDPR Article 28 — processor obligations and Data Processing Agreements
Implementation: vendor onboarding process including security review, BAA execution for HIPAA-adjacent vendors, DPA execution for GDPR-adjacent vendors. One process, framework-specific paper.
Risk Assessment
- SOC 2 CC3.1 — organization specifies objectives and identifies risks
- ISO 27001 clause 6.1.2 — information security risk assessment
- HIPAA 164.308(a)(1)(ii)(A) — accurate and thorough risk analysis for PHI
- GDPR Article 35 — Data Protection Impact Assessments for high-risk processing
Implementation: annual risk assessment methodology with information assets and personal data mapped. GDPR DPIAs are a specific overlay for high-risk processing activities but reuse the same underlying methodology.
Control Mapping Snapshot
| Domain | SOC 2 (Common Criteria) | ISO 27001:2022 (Annex A) | HIPAA (45 CFR 164) | GDPR (Article) |
|---|---|---|---|---|
| Access control | CC6.1, CC6.2, CC6.3 | A.5.15–A.5.18, A.8.2, A.8.3 | 164.308(a)(4), 164.312(a), 164.312(d) | Art. 32(1)(b) |
| Encryption | CC6.7 | A.8.24 | 164.312(a)(2)(iv), 164.312(e)(2)(ii) | Art. 32(1)(a) |
| Audit logging | CC7.2 | A.8.15, A.8.16 | 164.312(b) | Art. 32(1)(d) |
| Incident response | CC7.3, CC7.4 | A.5.24–A.5.28 | 164.308(a)(6) | Art. 33, Art. 34 |
| Workforce training | CC1.4 | A.6.3 | 164.308(a)(5) | Art. 32, Art. 29 |
| Vendor management | CC9.2 | A.5.19–A.5.23 | 164.308(b), 164.314(a) | Art. 28 |
| Risk assessment | CC3.1 | Clause 6.1.2 | 164.308(a)(1)(ii)(A) | Art. 35 |
| Physical security | CC6.4 | A.7.1–A.7.14 | 164.310 | Art. 32 (general) |
| Change management | CC8.1 | A.8.32 | 164.308(a)(8) | Art. 32(1)(d) |
| Business continuity | A1.2 (Availability) | A.5.29, A.5.30 | 164.308(a)(7) | Art. 32(1)(c) |
This is a snapshot. For the complete cross-framework mapping, use one of the authoritative sources listed below.
Framework-Specific Non-Overlapping Controls
The 30 to 40 percent that does not overlap is framework-specific and cannot be shortcut.
SOC 2 specific: Trust Services Category selection, the CPA firm engagement and report structure, Type I versus Type II selection, bridge letters between reports. These are attestation mechanics, not control mechanics.
ISO 27001 specific: Statement of Applicability, ISMS scope statement, management review clauses (5.1, 9.3), internal audit program (9.2), continual improvement clause (10.1). These are management-system requirements that SOC 2 does not impose in the same form.
HIPAA specific: Business Associate Agreements, Notice of Privacy Practices (for Covered Entities), HHS OCR breach notification workflow, minimum necessary standard operationalized in access decisions, patient rights of access and amendment. Contractual and legal obligations without SOC 2 or ISO 27001 equivalents.
GDPR specific: lawful basis register under Article 6 (and Article 9 for special categories), data subject rights workflows (erasure, portability, restriction, objection), international transfer mechanisms (SCCs, DPF, adequacy decisions), Data Protection Officer appointment when triggered, Records of Processing Activities under Article 30, cookie consent under the ePrivacy Directive as amended by GDPR.
Structuring Evidence for Multiple Frameworks
Evidence structured for one framework can serve multiple if organized correctly.
Store control evidence tagged with the framework requirements it satisfies, not organized by framework. One access review log satisfies SOC 2 CC6.1, ISO 27001 A.5.18, HIPAA 164.308(a)(4), and GDPR Article 32(1)(b) simultaneously. A GRC platform (Vanta, Drata, Secureframe, Sprinto, Thoropass) does this tagging automatically for major frameworks. For teams not yet on a platform, a simple evidence directory with a mapping spreadsheet accomplishes the same thing.
The audit efficiency compounds. An auditor reviewing the same access review evidence for the SOC 2 audit does not need to re-request it for the ISO 27001 audit two months later. Buyers reviewing your compliance posture see one coherent control environment, not four disconnected programs.
Authoritative Sources and Mappings
Cite these when defending overlap claims to auditors, buyers, or boards.
- AICPA Trust Services Criteria to ISO 27001 mapping — free, published by AICPA. Source of truth for SOC 2 to ISO 27001 overlap claims.
- NIST Special Publication 800-53 Rev. 5 Appendix H — maps SP 800-53 controls to ISO 27001, PCI-DSS, and other frameworks. Available at nvlpubs.nist.gov.
- NIST Special Publication 800-66 Revision 2 — HIPAA Security Rule crosswalk to NIST Cybersecurity Framework and SP 800-53. Available at csrc.nist.gov.
- Cloud Security Alliance Cloud Controls Matrix (CCM) v4 — 197 controls mapped to SOC 2, ISO 27001, HIPAA, PCI-DSS, GDPR, and others. Free download with account at cloudsecurityalliance.org.
- Secure Controls Framework (SCF) — open-source cross-mapping across 100+ laws and standards. securecontrolsframework.com.
For framework-specific mechanics, see the SOC 2 service page, ISO 27001 service page, HIPAA service page, and GDPR service page. For the interactive overlap explorer that visualizes control overlap across frameworks. For standard combinations pre-mapped for common multi-framework programs.
Frequently Asked Questions
How much do SOC 2 and ISO 27001 overlap? Approximately 60 to 70 percent of underlying controls, backed by the AICPA's own mapping and the Cloud Security Alliance CCM. The specific number depends on Trust Services Categories selected and the ISO 27001 Statement of Applicability scoped.
Where does HIPAA overlap with SOC 2 and ISO 27001? HIPAA Security Rule technical, administrative, and physical safeguards overlap substantially with SOC 2 Common Criteria and ISO 27001 Annex A. NIST SP 800-66 Rev. 2 provides the crosswalk. Non-overlapping HIPAA-specific work is BAAs, the Notice of Privacy Practices, HHS OCR breach notification, and the minimum necessary standard.
Does GDPR overlap with security frameworks? GDPR Article 32 overlaps substantially with SOC 2, ISO 27001, and HIPAA on security controls. A SOC 2 or ISO 27001 program covers most of Article 32. Non-overlapping GDPR-specific work is lawful basis, data subject rights, cross-border transfers, and DPO appointment.
What is the best source for authoritative control mappings? AICPA for SOC 2 to ISO 27001. NIST SP 800-66 Rev. 2 for HIPAA. Cloud Security Alliance CCM for a cross-framework mapping across SOC 2, ISO 27001, HIPAA, PCI-DSS, and GDPR. Secure Controls Framework for the broadest coverage.
Ready to Run One Program for Multiple Frameworks?
ShieldKey Solutions designs multi-framework compliance programs on a shared control foundation. We map the overlap, tag evidence to multiple frameworks, and minimize the audit tax so procurement conversations do not stall.