ISO 27001 vs SOC 2: The Short Answer
If your customers are primarily in North America, they want SOC 2. If your customers are primarily in Europe or you're selling to large multinationals, ISO 27001 carries more weight — and is increasingly required for EU public sector contracts. Many mature SaaS companies eventually pursue both.
But getting one wrong — or pursuing the wrong one first — wastes six to twelve months and tens of thousands of euros. Let's break it down properly.
What They Actually Are
| Dimension | SOC 2 | ISO 27001 |
|---|---|---|
| Full name | System and Organisation Controls 2 | ISO/IEC 27001:2022 Information Security Management System |
| Issued by | American Institute of CPAs (AICPA) | International Organisation for Standardisation (ISO) |
| Type | Audit report (attestation) | Management system certification |
| Output | SOC 2 Type I or Type II report from licensed CPA firm | Certificate from accredited certification body (valid 3 years) |
| Scope | Trust Service Criteria: Security (mandatory) + Availability, Confidentiality, Processing Integrity, Privacy (optional) | 110 controls across 93 control objectives (Annex A), covering 4 domains: Organisation, People, Physical, Technological |
| Geographic recognition | Dominant in US and Canada; widely recognised in UK and Australia | Global standard; required in many EU government procurement frameworks |
| Prescriptive? | No — criteria are principle-based. You define how you meet them. | More prescriptive — requires documented ISMS, formal risk treatment, management review cadence |
SOC 2 in Depth
SOC 2 is the de facto security standard for US SaaS. Every US enterprise procurement team knows what to look for in a SOC 2 Type II report. It answers the question: does this vendor actually operate the security controls they claim to have?
Trust Service Criteria (TSC)
SOC 2 is built around five Trust Service Criteria. Only Security (CC series) is mandatory:
- Security (CC) — always required. Covers logical access, change management, risk assessment, monitoring, incident response.
- Availability (A) — add if uptime SLAs are material to your customers.
- Confidentiality (C) — add if you store trade secrets or proprietary customer data.
- Processing Integrity (PI) — add if transaction accuracy matters (FinTech, payroll).
- Privacy (P) — add if you handle significant volumes of personal data for US customers.
Most early-stage SaaS companies start with Security only. Adding Availability is common for infrastructure or API products. Adding Privacy is increasingly common post-CCPA.
Type I vs Type II
- Type I — auditor confirms your controls are designed correctly as of a point in time. Faster and cheaper. Useful to unlock deals while your Type II period accumulates.
- Type II — auditor confirms your controls operated effectively over a review period (minimum 6 months, typically 12). This is what enterprise procurement actually wants.
SOC 2 Timeline and Cost
| Phase | Duration | Typical Cost (early-stage SaaS) |
|---|---|---|
| Readiness assessment / gap analysis | 4–8 weeks | €3,000–€15,000 (consultant) or use compliance software |
| Remediation (building controls) | 2–6 months | Internal engineering time + tooling |
| Type I audit | 4–8 weeks | €8,000–€20,000 |
| Type II observation period | 6–12 months | Ongoing control operation |
| Type II audit | 6–10 weeks | €15,000–€40,000 |
Compliance automation platforms (Vanta, Drata, Secureframe) reduce audit prep time significantly and typically cost €8,000–€20,000/year. They can be worth it if you're doing both SOC 2 and ISO 27001.
ISO 27001 in Depth
ISO 27001 requires you to build and operate an Information Security Management System (ISMS) — a documented, audited system for managing information security risk across the organisation. It's more of a management framework than a checklist.
The 2022 Update (ISO/IEC 27001:2022)
The 2022 revision restructured Annex A from 114 controls in 14 clauses to 93 controls in 4 themes: Organisational (37), People (8), Physical (14), Technological (34). Key additions include threat intelligence, cloud security, data masking, web filtering, and secure coding. Certifications against the 2013 version expired in October 2025 — if you're starting now, you're working against 27001:2022.
The ISMS Core Requirements
- Documented scope, context, and interested parties analysis (Clause 4)
- Information security risk assessment and risk treatment plan (Clause 6 + 8)
- Defined security objectives with measurable targets (Clause 6.2)
- Statement of Applicability (SoA) — document which of the 93 controls apply and why (or why excluded)
- Management review cadence (Clause 9.3)
- Internal audit programme (Clause 9.2)
- Formal corrective action process for nonconformities (Clause 10)
ISO 27001 Timeline and Cost
| Phase | Duration | Typical Cost |
|---|---|---|
| Gap analysis + ISMS design | 6–12 weeks | €5,000–€20,000 (consultant) |
| Implementation (controls + documentation) | 3–9 months | Internal time + tooling |
| Stage 1 audit (documentation review) | 1–2 days | €3,000–€8,000 |
| Stage 2 audit (operational audit) | 2–5 days on-site/remote | €8,000–€25,000 |
| Certificate issuance + surveillance audits (annual) | Ongoing | €3,000–€8,000/year |
Side-by-Side Comparison
| Factor | SOC 2 | ISO 27001 |
|---|---|---|
| Who asks for it | US enterprise buyers, US investors, US SaaS vendors | EU enterprise buyers, government procurement, multinationals |
| Time to first report/cert | 6–14 months (Type II) | 9–18 months |
| Total first-year cost | €25,000–€80,000 | €20,000–€60,000 |
| Ongoing annual cost | €15,000–€40,000 (annual re-audit) | €5,000–€15,000 (annual surveillance) |
| Prescriptiveness | Principle-based — flexible implementation | More prescriptive — formal ISMS required |
| Supply chain / vendor coverage | Covered under CC9 (vendor risk) | Covered under A5.19–A5.22 (supplier relationships) |
| Incident response required | Yes — CC7.3–7.5 | Yes — A5.24–A5.28 |
| Physical security | Limited — A-series controls | Comprehensive — 14 physical controls |
| Privacy | Optional Privacy TSC | ISO 27701 extension available (PIMS) |
| Publicly shareable? | Report is confidential — shared under NDA. Summary certificate available. | Certificate is public and searchable via accreditation body registries |
Which One Should Your SaaS Pursue First?
Choose SOC 2 first if:
- Your primary market is the US or Canada
- You're regularly asked "do you have a SOC 2 report?" in sales calls
- You're dealing with US enterprise procurement teams
- You want flexibility in how you implement controls
- You need a Type I quickly to unblock deals while building toward Type II
Choose ISO 27001 first if:
- Your primary market is the EU, UK, or Asia-Pacific
- You're targeting government or regulated industry procurement (ISO 27001 is often a contractual requirement)
- You process special category personal data under GDPR and want to demonstrate Art. 32 compliance
- You want a globally-recognised public certificate (vs a confidential audit report)
- You're building an ISMS anyway as part of GDPR compliance
Pursue both if:
- You're scaling globally and have US + EU enterprise customers
- You've already completed one and have mature controls — adding the second is incremental
- You're using compliance automation software (significant overlap in evidence collection)
The Control Overlap
There's significant overlap between SOC 2 and ISO 27001. A well-run SOC 2 programme covers roughly 60–70% of ISO 27001 Annex A controls. The main gaps ISO 27001 adds:
- Formal ISMS documentation (Statement of Applicability, risk register, management review minutes)
- Physical security controls (office, server room, clear desk/screen policy)
- HR/personnel controls (background checks, security awareness records, termination procedures)
- Business continuity planning (covered minimally in SOC 2 Availability criteria)
- Legal and compliance obligations register
Before You Pursue Either: Build Your Policy Foundation
Both frameworks require documented security policies. Before engaging an auditor or consultant, get your foundational documents in place:
- Information Security Policy — the master policy that references all others
- Incident Response Plan — required under SOC 2 CC7 and ISO 27001 A5.26
- Access Control Policy — user provisioning, offboarding, MFA, least privilege
- Vendor Risk Management Policy — sub-processor and supplier due diligence
- Business Continuity / DR Plan — RTO/RPO definitions, backup testing
👉 Generate a free SOC 2–ready Information Security Policy — the foundational document auditors ask for first.
👉 Generate a free Incident Response Plan — required under both SOC 2 CC7 and ISO 27001 A5.26.
Key Takeaways
- SOC 2 is the US standard — essential if your enterprise customers are US-based.
- ISO 27001 is the international standard — preferred in EU, government, and global procurement.
- Start with whichever your customers are actually asking for, not whichever sounds more impressive.
- Both require documented policies, incident response procedures, access control, and vendor risk management.
- Build your policy foundation first — it accelerates both certifications and pays off immediately in enterprise sales calls.