Hello, this is Hamamoto from TIMEWELL.
"We want to roll out Claude Code company-wide, but we cannot afford to lose our SOC 2 Type II or ISO/IEC 27001:2022 certifications." Lately, the frequency with which I hear this from CSIRT members and IT departments has spiked. Executives are drawn in by the productivity story; engineers on the ground are already using it on personal contracts. Meanwhile, the IT and security teams who carry the burden of certification maintenance are looking at SOC 2 CC6.1 and ISO 27001 A.5.23 with their heads in their hands. That is the typical 2026 spring tableau.
The first article in this series covered the design considerations for accepting Claude Code into the enterprise. This second installment moves to the next stage: a concrete implementation guide for "bringing Claude Code under control without breaking the certifications you already hold." It walks through how to read Anthropic's Trust Center disclosures, how to redraw the shared responsibility line, how to map controls onto SOC 2 Trust Service Criteria and ISO/IEC 27001:2022 ANNEX A, and how to gather the audit evidence required—at the level a working team can actually use.
Anthropic's SOC 2 / ISO 27001 Posture and How to Read the Usage Policy
Start with the certification posture, which is the area most often misread. As of April 2026, Anthropic's Trust Center discloses SOC 2 Type II, ISO/IEC 27001:2022, and ISO/IEC 42001:2023 certifications, plus a HIPAA-capable configuration with BAAs available. SOC 2 Type II spans a twelve-month observation window across Security, Availability, Processing Integrity, Confidentiality, and Privacy. Scope includes the Claude API, the web application, the audit log infrastructure, and the Zero Data Retention (ZDR) endpoints.
ISO/IEC 42001:2023 is a new international standard for AI management systems. While SOC 2 and ISO 27001 examine information security management in general, 42001 examines AI-specific risks—transparency, accountability, bias, and model lifecycle management. Augment Code's published analysis reports that 60% of companies that ran SOC 2 and 42001 as parallel, separate programs failed certification preparation, while integrated frameworks achieve 40–50% overhead reduction[^1]. The fact that Anthropic itself holds ISO 42001 is unglamorous but materially reassuring for customers.
The provisions governing data handling shifted significantly in September 2025. The AUP was renamed "Usage Policy" and split clearly into B2B and consumer scopes. On the same day, September 14, the standard log retention period for the API was reduced from 30 days to 7 days[^2]. Usage for training is not enabled by default, and ZDR contracts ensure no data is retained on Anthropic's side. If you need 30-day retention for audit purposes, you re-extend it via a DPA opt-in.
The reading error to avoid here is "Anthropic is certified, therefore our SOC 2 and ISO 27001 will pass as-is." Anthropic's certifications cover the provider side; they do not substitute for your internal controls. Without correctly understanding the shared responsibility model, the audit floor will collapse beneath you.
Struggling with AI adoption?
We have prepared materials covering ZEROCK case studies and implementation methods.
Shared Responsibility When Enterprises Use Claude Code
The shared responsibility model is not a new concept. It is most usefully thought of as adding AI-specific dimensions to the IaaS / PaaS / SaaS shared responsibility framework that AWS and Microsoft Azure have refined over the past decade. Microsoft's documentation on AI shared responsibility explicitly states that the vendor is responsible for the foundation, model hosting, and platform protection, while the customer is responsible for input data protection, prompt injection countermeasures, and adherence to organizational and regulatory requirements[^3].
Mapped onto Claude Code, the dividing line looks roughly like this. Anthropic's responsibilities: data center and physical network protection, model safety, vulnerability response for the API and admin console, encryption of communication paths via TLS, minimum scanning required for AUP-violation detection, and maintenance of SOC 2 and ISO 27001 certifications. The customer's responsibilities: granting and revoking access permissions, education and filtering to prevent confidential data input, operation of /sandbox settings and ConfigChange hooks and other governance features, long-term retention of audit logs, building out internal SOC 2 and ISO 27001 controls, and employee training.
The dimension most often missed for SaaS-style AI is the expansion of the attack surface. Claude Code reads and writes files in the user's local environment, and where necessary, executes bash commands. As Anthropic's official documentation emphasizes, the defaults are read-only, write operations and command execution require explicit approval, and writes are restricted to the working directory containing CLAUDE.md[^4]. That said, how those defaults are configured is the customer's responsibility. SOC 2 auditors do not ask "did you configure it"—they ask "is the configuration enforced as the organizational standard."
In a financial services client engagement, the first deliverable was a single sheet that drew the line between "what Anthropic protects" and "what we must protect," with each item assigned to its responsible department. Mapping security operations to the CISO's office, identity management to IT, usage guidelines to the engineering organization, training to HR, and contract review to legal—this single act of explicit assignment cut subsequent audit preparation effort by more than half. It is unglamorous but skipping it forces multiple rework cycles.
Evaluating Claude Code Across the Five SOC 2 Trust Service Criteria
Now to the substance. The 2017 Trust Services Criteria (with revised Points of Focus in 2022) published by AICPA are organized into Common Criteria CC1 through CC9, plus additional categories that sit on top[^5]. The five domains where Claude Code requires real effort are CC1, CC2, CC6, CC7, and CC8. Walking through them in order.
CC1 (Control Environment) and CC2 (Communication and Information) are essentially "does the organization have a policy, and is it communicated internally?" For Claude Code specifically, consolidate scope of use, prohibited use cases, handling of confidential data, and incident response into a single AI usage policy. My own view is that the most operationally manageable approach is to author a "coding AI usage standard" that horizontally regulates Claude Code, Cursor, ChatGPT, and Gemini, with tool-specific addenda below it. Writing separate policies per tool means rewriting all of them every time a Usage Policy changes.
CC6 (Logical and Physical Access Controls) is the largest cluster, with eight criteria, and is the center of gravity for SOC 2 audits. For Claude Code, the axes are: assigning personally-identifiable IDs through SAML 2.0 or OIDC SSO; automating provisioning and deprovisioning through Okta, Azure AD, Ping Identity or other IdPs via JIT or SCIM; and granting permissions on a least-privilege, role-based basis[^6]. As Tigera notes, CC6.1 requires that "only specifically authorized individuals can enter the system." Sharing one API key across fifty people collapses identifiability on its own and becomes an audit finding immediately.
CC7 (System Operations) governs detection and response. Claude Code's audit logs are retained in the Admin Console for 30 days by default, support JSON / CSV export, and forward to major SIEMs including Splunk, Datadog, and Elastic[^7]. The conventional SOC 2 log retention period is 90 days or more, so the realistic design is "30 days on the Claude side, more than a year in the SIEM"—a two-tier configuration. To satisfy the continuous monitoring requirement of CC7.2, embed thresholds for API error rates, top failed bash commands, and latency percentiles into your on-call monitoring, and automate ticket creation on anomalies.
CC8 (Change Management) examines the process by which code or configuration produced by Claude Code reaches production. As Raza Shariff provocatively writes, "your SOC 2 audit will fail when AI agents arrive"[^8]. Operating Claude Code so that it commits directly collapses change approval traceability. For the past several months I have been recommending the following set on the ground: "even if AI writes it, PR review is performed by humans; the approver is the senior engineer with primary ownership; merge permissions are enforced via CODEOWNERS." Combine this with a pre-commit hook on the Claude Code side and you can layer in automated checks before review.
ISO/IEC 27001:2022 ANNEX A Controls (A.5–A.8)
ISO/IEC 27001:2022 was substantially overhauled from the 2013 edition, and ANNEX A now contains 93 controls. Organizational A.5 (37 controls), People A.6 (8 controls), Physical A.7 (14 controls), and Technological A.8 (34 controls)[^9]. The controls directly relevant to Claude Code concentrate in parts of A.5 and A.8.
Among the organizational controls, A.5.1 "Policies for information security" is the starting point. With executive endorsement, publish and disseminate the AI usage policy as a formal document, including employee acknowledgment. A.5.10 "Acceptable use of information and other associated assets" specifies whether copy/paste of confidential data is allowed, the labeling regime for internal/confidential/public, and the handling of source code. As ISMS.online notes, 5.10 plays the role of translating the policy framework of 5.1 into concrete daily work[^10]. A.5.23 "Information security for use of cloud services" is unavoidable. Claude Code is precisely a cloud service, and without documented selection criteria, contract review processes, and end-of-engagement data handling, you stop here.
Among the technological controls, A.8.15 "Logging" and A.8.16 "Monitoring activities" are the twin pillars. 8.15 requires "capturing logs and protecting them from tampering" and 8.16 requires "analyzing logs to detect anomalies"[^11]. Merely retaining Claude Code audit logs only satisfies A.8.15—exactly as with SOC 2 CC7, you must forward to a SIEM and run correlation analysis to reach A.8.16. Equally important are the ten event types A.8.15 specifies: authentication successes and failures, privileged account actions, administrator operations, system errors, configuration changes, and modifications to important files. Claude Code's ConfigChange, pre-tool, and post-tool hooks excel at automatically logging exactly the "configuration change" and "privileged operation" events from this list. For details on usage, see Putting 45 Claude Code Skills to Work.
A.8.28 "Secure coding" maps directly to quality assurance for code generated by Claude Code. SAST/DAST tools, dependency vulnerability scans, and secret detection must all be applied without exception to code authored by Claude Code. In my experience, the moment a team decides "AI-written code only needs a lighter check," that becomes the auditor's sharpest line of attack. The safer position is for the CTO to explicitly signal that AI-authored code is reviewed more rigorously, not less.
Audit Evidence Collection in Practice (Logs, Policies, Contracts)
Designing controls is not enough to achieve certification. Both SOC 2 Type II and ISO 27001 require evidence that the controls operated effectively over a defined period. The evidence package I use in the field, organized for the Claude Code context.
Start with contracts and policies. Store the latest Anthropic Commercial Terms, DPA, ZDR addendum, and AUP (Usage Policy) by case ID. Keep the legal review history alongside, and you can answer auditor questions about the contract review process immediately. The downloadable reports from the Trust Center are the SOC 2 Type II in full, the ISO 27001 certificate, the ISO 42001 certificate, and the penetration test summary. These update at least once per year, so configure your GRC tooling with "automatic reminders + diff review" jobs.
Next is operational logs. Forward exported audit logs from the Admin Console daily into the SIEM and retain at least 13 months. SOC 2 Type II conventionally uses a 12-month observation window, so 13 months provides cushion at the annual renewal point. The most operationally effective evidence in practice is the machine-readable JSON produced by Claude Code hooks. As Amit Kothari notes, combining pre-tool, post-tool, and pre-commit hooks lets you record at reproducible granularity who issued which prompt, called which tool, and modified which code[^12]. This single artifact covers SOC 2 CC7 and CC8, plus ISO 27001 A.8.15, A.8.16, and A.8.32 (change management) at once—an unusually high-leverage piece of evidence.
Finally, the people side (A.6). Maintain attendance records for AI usage training, signed acknowledgments, ID-revocation logs at separation, and internal audit reports. My own opinion: "30 minutes online once per year" is not enough for AI training. Run it at three triggers—when a new tool is introduced, when the Usage Policy is revised, and at quarterly retrospectives. That cadence balances certification maintenance and incident prevention.
Designing this evidence-collection regime end-to-end is not a side-project workload. Our WARP service supports control design and audit evidence preparation as part of AI consulting, and we have seen increasing requests to design configurations that withstand the SOC 2 / ISO 27001 / ISO 42001 trifecta together. For engagements with strict data residency or in-country server requirements, hosting ZEROCK in an AWS Japan region alongside Claude Code—and confining confidential-zone knowledge to ZEROCK—is also effective. The boundary "Claude Code is not used for data classified above internal-use; confidential data is handled by ZEROCK" is one of the cleanest stories to tell an audit committee.
Closing Thoughts
The SOC 2 Type II and ISO/IEC 27001:2022 certifications Anthropic holds establish the preconditions for using Claude Code. They do not, by themselves, deliver your certification. The work that lands on the customer side: drawing the shared responsibility line, building internal CC1–CC9 controls, mapping ANNEX A.5–A.8, and producing evidence that operations functioned effectively for over a year.
The first step I recommend is reaching internal alignment on the shared responsibility one-pager. Simply assigning "who protects what" by department accelerates the subsequent CC6 and A.5.23 discussions enormously. Next, install hands-off evidence collection through Claude Code hooks plus SIEM forwarding. Finally, sign the ZDR contract and DPA, and refresh the policy documents. Following this sequence, you can move from "Claude Code is here" to "Claude Code is operated company-wide without breaking certifications" within six months to a year.
A note on what auditors actually want to see in the room. They are not impressed by elaborate slide decks describing the controls; they want to watch you execute the controls. When asked to demonstrate CC6.2, they want you to revoke a departed employee's Claude Code access in real time and show the corresponding deprovisioning log in the IdP. When asked to demonstrate A.8.16, they want you to pull up an actual anomaly your monitoring caught last quarter, walk through the response timeline, and produce the post-incident report. Build the program around demonstrability, not documentation, and the audit becomes routine rather than theatrical.
For the design considerations that precede Claude Code adoption, see Designing Claude Code Onboarding for the Enterprise. For real-world examples of leveraging Skills and plugins, see Where the Superpowers Claude Code Plugin Earns Its Keep. If your organization is serious about getting enterprise operations right, please feel free to reach out.
[^1]: Augment Code, "AI Governance Framework for SOC 2 & ISO 42001 Compliance" https://www.augmentcode.com/guides/ai-governance-framework-for-soc-2-and-iso-42001-compliance [^2]: Anthropic, "Updates to our Usage Policy" https://www.anthropic.com/news/usage-policy-update / Anthropic Privacy Center, "How long do you store my organization's data?" https://privacy.claude.com/en/articles/7996866 [^3]: Microsoft Learn, "Shared responsibility in the cloud" https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility [^4]: Claude Code Docs, "Security" https://code.claude.com/docs/en/security [^5]: AICPA & CIMA, "2017 Trust Services Criteria (With Revised Points of Focus – 2022)" https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022 [^6]: Claude Help Center, "Set up single sign-on (SSO)" https://support.claude.com/en/articles/13132885-set-up-single-sign-on-sso [^7]: Datadog, "Monitor Claude Code adoption with AI Agents Console" https://www.datadoghq.com/blog/claude-code-monitoring/ [^8]: Raza Shariff, "Your SOC 2 Audit Will Fail When AI Agents Arrive" https://dev.to/razashariff/your-soc-2-audit-will-fail-when-ai-agents-arrive-heres-the-14-control-fix-58fp [^9]: ISMS.online, "ISO 27001:2022 Annex A Explained & Simplified" https://www.isms.online/iso-27001/annex-a-2022/ [^10]: ISMS.online, "ISO 27001:2022 Annex A 5.1 – Information Security Policies" https://www.isms.online/iso-27001/annex-a-2022/5-1-information-security-policies-2022/ [^11]: ISMS.online, "ISO 27001:2022 Annex A 8.15 – Logging" https://www.isms.online/iso-27001/annex-a-2022/8-15-logging-2022/ [^12]: Amit Kothari, "Claude Code SOC 2 compliance — what your auditor needs to know" https://amitkoth.com/claude-code-soc2-compliance-auditor-guide/