Controls Generally consist of multi-issue authentication for process entry, function-based permissions that limit who will see what, protection scanning to discover vulnerabilities, and documented treatments for responding to security incidents. Your auditor will check no matter if these controls exist and whether or not they get the job done regularly. https://calvant.com/blog/iso-27001-vs-soc-2-comparison-differences-benefits