ISO/IEC 27001 is the international standard for information security management systems (ISMS). Unlike SOC 2 (which is an attestation), ISO 27001 is a certifiable standard — accredited bodies issue certificates for a three-year period, with annual surveillance audits.
Structure
ISO 27001 has two halves:
- The main clauses (4-10). Requirements for an ISMS — context, leadership, planning, support, operation, performance evaluation, improvement.
- Annex A. A list of 93 controls (in the 2022 update; 114 in the 2013 version) grouped into four themes: Organisational, People, Physical, Technological.
The annex controls are not all mandatory; the organisation determines applicability based on its risk assessment. Justification for excluding controls is recorded in the Statement of Applicability.
Supplier Relationships (Annex A.5.19 - A.5.23)
The 2022 version groups supplier-relationship controls into five:
- A.5.19 — Information security in supplier relationships. A policy for managing risks from supplier products, services, and processing.
- A.5.20 — Addressing information security within supplier agreements. Specific security requirements in supplier contracts.
- A.5.21 — Managing information security in the ICT supply chain. Specific to ICT supply chain risks.
- A.5.22 — Monitoring, review, and change management of supplier services. Ongoing monitoring of supplier security performance.
- A.5.23 — Information security for use of cloud services. Specific to cloud providers.
A.5.22 is the operational vendor-monitoring control. The expectation:
- Regular monitoring of supplier compliance with agreed security requirements.
- Reviews on a defined cadence.
- Change management when supplier services or controls change.
What auditors look for
ISO 27001 auditors are typically more process-focused than SOC 2 auditors. They want to see:
- A documented supplier management process.
- A supplier inventory with risk classifications.
- Defined monitoring cadences for each tier.
- Evidence the cadences are run.
- Evidence of action when monitoring identifies issues.
- Internal audits covering supplier management.
- Management review of supplier performance.
Where SOC 2 wants vendor evidence as part of overall control evidence, ISO 27001 wants the supplier-management system to be visible — the documented process, the records, the corrective actions, the continuous improvement.
ISO 27001 + SOC 2
Many B2B SaaS vendors carry both. They overlap heavily but emphasise different things:
- SOC 2 is more US-recognised, more focused on operating effectiveness over time, and more often demanded by enterprise buyers in North America.
- ISO 27001 is more globally recognised, more focused on the management system, and more often demanded by enterprise buyers in Europe and Asia.
For a customer evaluating a vendor, both certifications signal a mature security program. Carrying both is more a sales-enablement decision for the vendor than a meaningful difference in security posture.
Companion standards
- ISO/IEC 27017 — additional cloud-specific controls.
- ISO/IEC 27018 — protection of PII in public cloud processors.
- ISO/IEC 27701 — privacy information management system, building on 27001 with GDPR-aligned controls.
- ISO 22301 — business continuity (often paired with 27001 for availability assurance).
A vendor carrying ISO 27001 + 27018 + 27701 is making a deliberate signal about cloud privacy posture beyond the base standard.