Mapping SOC 2 and ISO 27001 Without a Consultant in the Room

The expensive part of an audit is rarely the control itself. It is assembling evidence that the control was in place over the audit period. For the identity domain, much of that evidence already exists as live tenant state.

Access reviews, privileged role assignments, MFA enforcement and conditional access scope map directly onto common SOC 2 and ISO 27001 control families. If those are continuously evaluated and timestamped, evidence collection stops being a fire drill and becomes an export.

This does not replace an auditor. It changes what you hand them: a current, sourced posture instead of screenshots gathered the week before the assessment.