Bundling ISO 27001 with SOC 2, ISO 9001, ISO 27701 and GDPR
Why bundling exists
ISO 27001:2022 Annex A and the major adjacent frameworks share significant control overlap. The same evidence frequently satisfies requirements in two or more standards. Where the audit programme can be designed to test once and report against multiple certifications, the combined cost falls meaningfully below the sum of the parts.
| Adjacent standard | Approximate control overlap | Where the delta lives |
|---|---|---|
| SOC 2 Trust Services Criteria | ~90% | SOC 2 has Trust Service Criteria for confidentiality, availability and processing integrity that map closely; the SOC 2 audit framework is procedurally distinct |
| ISO 9001 management-system clauses | ~30 – 40% | Management-system clauses (context, leadership, risk, continual improvement) overlap; quality-specific operational controls are separate |
| ISO 27701 (privacy extension) | ~95% (base) + privacy delta | 27701 is an extension of 27001; near-100% base overlap, plus 25 to 35% additional implementation effort for privacy management |
| GDPR Article 32 technical controls | ~60 – 70% | Annex A controls cover encryption, access, logging, supplier; legal-basis, transparency, rights-handling sit outside |
Control-overlap percentages are practitioner consensus figures. Specific mappings are published by ENISA, AICPA and BSI; the assumption set behind the figures is on the methodology page.
ISO 27001 + SOC 2 combined
Teams pursuing ISO 27001 alongside SOC 2 Type II typically save 30 to 40 percent on the combined engagement, because the two frameworks share roughly 90 percent of their control overlap. The shared evidence base, shared policy authoring and shared internal audit effort compound across the year-one programme. The SOC 2 side of that calculation, including how Type I and Type II audits price separately, is detailed at soc2certificationcost.com.
| Programme | ISO 27001 only | SOC 2 only | Combined | Saving |
|---|---|---|---|---|
| Year 1 implementation | £20k | £18k | £28k | £10k (26%) |
| Audit fees year 1 | £8k | £20k | £26k | £2k (7%) |
| Tooling | £18k | £18k | £22k | £14k (39%) |
| Year 1 total | £46k | £56k | £76k | £26k (25%) |
The implementation and tooling lines drive the combined saving; audit fees are largely independent because separate audit teams test each framework. The 25 percent saving above sits at the lower end of the 30 to 40 percent typical band; organisations with a mature ISMS programme already in operation reach the upper band more readily.
ISO 27001 + ISO 9001 combined
Where ISO 27001 is being implemented alongside an existing or planned ISO 9001 quality management system, an integrated audit programme can reduce certification-body fees by 15 to 25 percent over a three-year cycle. The quality-management-system cost picture is mapped at iso9001certificationcost.com.
The integrated management system pattern: a single certification body performs an integrated audit across both standards, with shared management-system clauses tested once. Surveillance years two and three integrate similarly. The saving is largest where the same auditor team holds both ISO 27001 and ISO 9001 lead-auditor credentials.
ISO 27001 + GDPR scope
Firms processing EU customer personal data must satisfy GDPR independently of their ISO 27001 status. There is real but partial overlap: the Annex A privacy controls (A.5.34, A.8.10 and the A.8.11 family) cover some but not all of the GDPR Article 32 requirements. The remaining privacy spend is broken down at gdprcompliancecost.com.
Practitioner pattern: ISO 27001 covers the technical and organisational measures requirement (Article 32), but does not cover lawful basis (Article 6), data subject rights handling (Articles 12 to 22) or international transfer mechanisms (Chapter V). A separate privacy management programme remains necessary, though the technical-controls overlap reduces duplication materially.
ISO 27001 + ISO 27701 (privacy extension)
ISO 27701 extends ISO 27001 with a Privacy Information Management System. The base 27001 ISMS is reused near-completely; the addition is privacy-specific controls, governance and a separate certificate. Practitioner data places the additional implementation effort at 25 to 35 percent of the base ISO 27001 cost, with audit-fee uplift of 20 to 30 percent for the combined certificate.
The 27701 extension is most useful where the organisation processes significant personal data on behalf of customers (data processor posture) or operates as a controller in a privacy-regulated market. For organisations primarily seeking technical-controls assurance, ISO 27001 alone is the simpler programme.
When not to bundle
Bundling is not always cheaper. Concurrent multi-standard engagements for a small team are often slower than sequential, and the coordination overhead consumes the theoretical saving. For under-50 FTE organisations pursuing first-time certification, sequential is frequently the cheaper path: ISO 27001 in year one, SOC 2 Type II in year two with the ISMS already operating.
Adjacent: PCI DSS for payments-handling firms
Payment-processing firms typically scope PCI DSS alongside ISO 27001 in a combined compliance programme. The cost overlap and what stands as separate spend is at pcicompliancecost.com. The relevant pattern: ISO 27001 covers the security-management system; PCI DSS covers cardholder-data-environment-specific controls, with separate quarterly scanning and Qualified Security Assessor engagements that ISO 27001 does not replace.
Where to read next
For the audit-fee implications of bundling, see the audit fees page. For the cost-driver context against which combined savings are measured, see the cost drivers page. For sanity-check scenarios that include multi-standard pressure, see the small business page.