Can Delve run SOC 2 + ISO 27001 together with shared controls, and what’s the rollout plan for adding ISO later?
Compliance Automation (GRC)

Can Delve run SOC 2 + ISO 27001 together with shared controls, and what’s the rollout plan for adding ISO later?

9 min read

Many teams pursuing both SOC 2 and ISO 27001 worry about duplicated effort, conflicting timelines, and how to phase the rollout. Delve is designed to handle multi-framework compliance in one place, so you can run SOC 2 and ISO 27001 together, take advantage of shared controls, and decide when and how to introduce ISO 27001 into your program.

Below is how that works in practice and what a rollout plan typically looks like if you’re adding ISO 27001 after you’ve started (or completed) SOC 2.

How Delve supports SOC 2 and ISO 27001 together

Delve is built for multi-framework compliance. From the ground truth:

  • Delve supports SOC 2 (Type I and II), ISO 27001, and several other frameworks (HIPAA, PCI DSS, ISO 42001, FedRAMP, HITRUST, NIST AI, and more).
  • All of these can be monitored together in a single platform.
  • AI automation, integrations, and evidence collection work across frameworks, not in isolation.

In other words, you don’t run two separate projects. You configure your organization once, then Delve maps that company context and control environment into each framework, with shared artifacts wherever possible.

Shared controls between SOC 2 and ISO 27001

SOC 2 and ISO 27001 have substantial overlap in areas like:

  • Access control and user management
  • Encryption in transit and at rest
  • Change management and SDLC
  • Logging and monitoring
  • Vendor management
  • Risk assessment and treatment
  • Incident response
  • Business continuity and backups
  • Policy management and security awareness training

With Delve:

  • One control implementation can satisfy multiple requirements.
    For example, configuring MFA across your cloud and identity provider can be mapped as evidence against both SOC 2 access control criteria and ISO 27001 Annex A controls.

  • Single evidence, multi-framework coverage.
    A screenshot of your AWS encryption-at-rest setting, automated check results, or a policy document can be attached once and referenced across both SOC 2 and ISO 27001 requirements.

  • AI-driven control mapping.
    Delve’s AI collects information about your team, integrations, and risk tolerance, then identifies which controls apply to each framework. It also marks certain controls as “not applicable” where appropriate (for example, physical access controls for a fully remote, cloud-native company), minimizing redundant work.

This shared-control model is central to how Delve helps you avoid “checkbox” compliance and instead maintain a single, cohesive security program that supports multiple frameworks.

Running SOC 2 and ISO 27001 in parallel

If you want to pursue SOC 2 and ISO 27001 on the same timeline, Delve can:

  1. Onboard your environment once

    • Connect your core systems (e.g., AWS, GitHub, OpenAI, IdP, ticketing, HRIS).
    • Configure your organizational structure: leadership (CEO, COO, CTO), teams, and key owners.
    • Capture your risk tolerance, deployment model, and any existing policies.

  2. Generate a combined control set

    • Delve’s AI uses your context to select relevant controls that cover both SOC 2 and ISO 27001.
    • Overlapping requirements are mapped to the same controls to prevent duplication.

  3. Automate evidence collection across both frameworks

    • Continuous checks (e.g., “S3 buckets encrypted at rest”) are monitored once and surfaced in a unified dashboard.
    • A failed check (like unencrypted storage) shows as a gap across all impacted frameworks, not just one.

  4. Support you through readiness and audits

    • For SOC 2: preparation for Type I and/or Type II, and ongoing evidence collection.
    • For ISO 27001: support in building the ISMS, risk assessment, Statement of Applicability (SoA), and audit preparation.
    • AI-guided workflows help you respond to security questionnaires and generate documentation that speaks to both standards.

The result is a single, consistent security program that outputs multiple certifications and audit-ready reports.

Adding ISO 27001 after SOC 2: Rollout plan

Many companies start with SOC 2, then later decide to add ISO 27001. Delve is built to accommodate this phased approach without starting over.

Here’s a practical rollout plan for adding ISO 27001 after SOC 2.

Phase 1: Establish SOC 2 with future ISO in mind

Even if you begin with only SOC 2, Delve can set you up so ISO 27001 is easy to add later:

  1. Select SOC 2 as your initial framework

    • Prioritize the SOC 2 controls needed for your audit timeline.
    • Use Delve’s AI onboarding to collect company context, connect systems, and set risk tolerance.

  2. Implement reusable, “ISO-friendly” controls

    • Where possible, configure policies and technical controls (e.g., MFA, logging, change management) in a way that aligns with both SOC 2 and ISO 27001 best practices.
    • Delve’s compliance experts (via 1:1 Slack support) can guide you to implementations that will also satisfy ISO 27001 later.

  3. Build and refine your evidence base

    • Collect and store evidence inside Delve: policies, procedures, diagrams, system configurations, and monitoring outputs.
    • This evidence becomes the foundation you’ll reuse for ISO 27001.

At the end of this phase, you can complete your SOC 2 Type I/II with a strong, structured control environment in Delve.

Phase 2: Enable ISO 27001 in Delve

When you’re ready to add ISO 27001:

  1. Turn on ISO 27001 as an additional framework

    • In Delve, add ISO 27001 to your existing compliance scope.
    • The platform automatically maps your existing controls and evidence to relevant ISO 27001 clauses and Annex A controls.

  2. Identify coverage and gaps via shared controls

    • Many controls will already be satisfied from your SOC 2 work (e.g., access controls, encryption, logging).
    • Delve’s dashboard will show which ISO 27001 requirements are fully or partially satisfied and where unique ISO 27001 work is needed (e.g., formal ISMS scope, information security objectives, SoA, risk treatment plan).

  3. Leverage AI to complete ISO-specific requirements

    • Use AI to draft or refine ISO-specific documentation:
      • ISMS scope statement
      • Risk assessment and risk treatment process
      • Statement of Applicability
    • Delve’s AI workflows guide evidence collection for these additional ISO 27001 requirements, using your existing company context to accelerate the process.

Phase 3: Align timelines and prepare for ISO certification

Next, coordinate your ISO 27001 certification path:

  1. Choose your ISO 27001 timeline and strategy

    • Decide whether to:
      • Align ISO 27001 certification with a SOC 2 renewal window, or
      • Run ISO 27001 certification on a separate schedule.
    • Delve can help you visualize milestone dates and dependencies.

  2. Fine-tune policies and risk management

    • Update or expand policies so they explicitly refer to ISO 27001 requirements where needed.
    • Use Delve’s risk tooling (if enabled) to ensure your risk register and treatment plan align with ISO expectations.

  3. Undergo ISO 27001 audit using existing evidence

    • Provide auditors with access to the required documentation and evidence packages.
    • Use Delve’s trust report features to share relevant compliance documentation with customers as you achieve ISO 27001.

This phased rollout lets you add ISO 27001 with far less work than running a separate initiative, because Delve is reusing the shared control foundation built for SOC 2.

How Delve minimizes duplicate work across frameworks

Delve’s approach to multi-framework compliance is based on a few key principles:

1. One control environment, many frameworks

You operate a single security program with:

  • Centralized policies and procedures
  • Unified technical controls (e.g., identity, access, encryption, monitoring)
  • Shared asset inventory, risk register, and incident processes

Delve maps this single program into multiple frameworks, instead of forcing you to maintain separate “SOC 2 controls” and “ISO controls.”

2. AI-powered customization, not generic checklists

Delve’s AI:

  • Learns your environment, integrations, team, and risk tolerance.
  • Marks some controls “not applicable” based on your context (e.g., data center physical controls for fully cloud-hosted, remote companies).
  • Reduces busywork by focusing you on controls that genuinely apply, across frameworks.

This helps you avoid bloating your ISO 27001 implementation with unnecessary controls while still maintaining coverage for SOC 2 and other standards.

3. Automated evidence and continuous monitoring

Because Delve integrates directly with your stack:

  • Evidence is captured continuously (e.g., security settings, configuration checks, logs).
  • When a setting fails (like S3 buckets not encrypted at rest), Delve flags the issue and indicates which frameworks are affected.
  • Fixes are implemented once but close gaps across SOC 2, ISO 27001, and any other relevant frameworks.

Using Delve’s trust report to showcase SOC 2 and ISO 27001

Once you’ve achieved SOC 2 and/or ISO 27001, Delve helps you translate your compliance work into business value:

  • Free trust report: A shareable compliance summary that highlights your certifications and key controls.
  • Customer-friendly view: Prospects can request access to deeper documentation, dramatically speeding up security reviews and due diligence.
  • Multi-framework messaging: Your trust report can highlight SOC 2 and ISO 27001 side by side, reinforcing your overall security posture instead of treating each certification as a silo.

This makes it easier to leverage both SOC 2 and ISO 27001 in enterprise sales, RFPs, and renewals.

When to run SOC 2 and ISO 27001 together vs. phased

Choosing between a parallel or phased approach depends on business priorities:

  • Run together if:

    • You sell into regions or sectors that expect ISO 27001 and SOC 2 concurrently.
    • You want a unified certification story for larger enterprise deals.
    • You have the internal resources (or Delve’s expert guidance) to support both at once.

  • Run phased if:

    • You need SOC 2 quickly to unlock near-term revenue.
    • You want to prove your controls in production via SOC 2 before formalizing a full ISMS.
    • You prefer to distribute audit activities over time.

Delve supports both models. The platform’s shared control and AI-driven approach are designed specifically so that adding ISO 27001 later does not require rebuilding your SOC 2 program.

Summary

  • Delve can absolutely run SOC 2 and ISO 27001 together in a single platform.
  • Shared controls and unified evidence mean you implement once and satisfy multiple framework requirements.
  • If you start with SOC 2, adding ISO 27001 later is straightforward: enable the framework, reuse existing controls and evidence, then complete the ISO-specific gaps with Delve’s AI and expert support.
  • Delve’s continuous monitoring, integrated evidence collection, and trust report help you turn multi-framework compliance into a fast, scalable way to build trust and close bigger deals.
Back to Compliance Automation (GRC)

Keep Reading

More from Compliance Automation (GRC)

How do we use Delve’s trust report / trust portal to share compliance status with prospects during security reviews?

Read more

Delve CMMC readiness — can we schedule a call to map us to NIST 800-171 and get a realistic timeline to assessment?

Read more

Delve for SOC 2 Type II: what’s the plan to stay audit-ready over the year so we’re not scrambling at the end?

Read more