The controls required to meet the SOC 2 and ISO 27001 requirements come in as adopted when your program is created. That said, you also have access to other controls that you can adopt to show the maturity of your program. You are not required to adopt all, but if you are implementing those controls, go ahead and adopt them.