The question comes up constantly in security vendor deals: "Do you have ISO 27001 or SOC 2?" And the correct answer is almost never "whichever one you want" — because they're not interchangeable. They come from different standards bodies, serve different markets, and tell buyers fundamentally different things about your security program.
With NIS2 enforcement active across the EU since October 2024 and US enterprise procurement increasingly treating SOC 2 Type 2 as a non-negotiable procurement filter, the choice of which framework to pursue first has real business consequences. Pick wrong and you'll spend 12 months getting a certification that doesn't open the doors you need to open.
Here's the practical breakdown: what each standard actually is, what it costs, who accepts it, and how to make the call.
What SOC 2 actually is (it's not a certification)
Most people call SOC 2 a certification. It's not. SOC 2 is an attestation — a licensed US CPA firm examines your security controls against the AICPA's Trust Service Criteria and issues a report describing what they found. There's no pass or fail. There's no certificate. You get a report, and that report is confidential by default — shared only with prospects and customers under NDA.
The AICPA defines five Trust Service Criteria: Security (required), Availability, Confidentiality, Processing Integrity, and Privacy. Most companies pursue Security only, sometimes with Availability added. You choose which criteria apply to your service. Auditors describe your specific controls rather than checking boxes against a fixed control list.
There are two types of SOC 2 reports:
- Type 1: Auditors confirm that your controls are designed appropriately as of a single point in time. Think of it as a snapshot. Preparation to report takes 4-8 weeks.
- Type 2: Auditors confirm that your controls operated effectively over an observation period — typically 6 months, minimum 3. This is what enterprise procurement actually requires. Type 1 is often accepted as a stopgap, but enterprise security teams know the difference.
SOC 2 reports are renewed annually. Once you've done the first Type 2, annual renewals take 3-4 months.
What ISO 27001 actually is (it's a real certificate)
ISO 27001 is a formal certification issued by an accredited certification body after a structured two-stage audit process. You either pass and receive a certificate, or you don't. The certificate is public — organizations list it on their websites and can be verified through the certification body's directory.
The standard requires building and maintaining an Information Security Management System: a documented management framework for identifying, treating, and monitoring information security risks. This isn't just implementing controls — it's documenting your risk methodology, running regular management reviews, conducting internal audits, and demonstrating continual improvement over time. The ISMS structure is the foundation; the 93 Annex A controls are layered on top of it.
Certifications are valid for three years with annual surveillance audits to maintain them. You can't just implement controls and coast — auditors visit annually to confirm your ISMS is actively operating.
ISO 27001:2013 certifications all expired on October 31, 2025. Every organization certified or seeking certification now is on the 2022 standard.
Side-by-side comparison
| Factor | ISO 27001 | SOC 2 |
|---|---|---|
| Type | Formal certification (pass/fail) | Attestation report (no pass/fail) |
| Issued by | Accredited certification body (e.g., BSI, Bureau Veritas, DNV) | Licensed US CPA firm |
| Standards body | ISO/IEC (international) | AICPA (US-based) |
| Visibility | Public certificate, verifiable | Confidential report, shared under NDA |
| Control framework | 93 Annex A controls (fixed catalog, select applicable ones) | Trust Service Criteria (principles-based, flexible controls) |
| ISMS requirement | Yes — mandatory management system | No — controls-focused, no ISMS required |
| Initial timeline | 6–18 months | 6–12 months (Type 2 observation period) |
| Initial audit cost | $15,000–$50,000 | $15,000–$60,000 |
| Renewal cycle | Annual surveillance, recertify every 3 years | Annual audit renewal |
| Primary market | EU, global enterprise, regulated industries | US enterprise, SaaS B2B, healthcare-adjacent |
See where your policies stand against both frameworks
PolicyAudit scans your security policy documents against ISO 27001:2022 and SOC 2 Trust Service Criteria simultaneously — showing you gaps before you invest in an audit. Free for up to 3 documents.
Check your policies for free →Geographic reach: where each standard matters
This is the most practical way to think about the choice — follow the customer.
When SOC 2 is what you need
US enterprise software procurement runs on SOC 2. If you're a SaaS company selling to mid-market or enterprise US businesses, you'll hit a wall without it. Security questionnaires in US procurement commonly ask for SOC 2 Type 2 as a pre-qualification filter. No report, no further review.
Healthcare-adjacent companies face the same dynamic. If you process any data near protected health information — even as a business associate — US buyers will want SOC 2 alongside HIPAA documentation. The two aren't redundant; SOC 2 covers your broader security controls while a HIPAA compliance program covers the PHI-specific requirements.
When ISO 27001 is what you need
EU enterprise buyers typically prefer ISO 27001. It's a globally recognized certification that translates across procurement teams who may not know what a SOC 2 report is.
NIS2 compliance is pushing ISO 27001 demand harder in 2026. The NIS2 Directive, with enforcement running since October 2024, requires essential and important entities across the EU to implement information security measures that align with risk management standards — with ISO 27001 explicitly referenced as a relevant approach in the directive's preamble. Companies serving EU supply chains are increasingly being asked to demonstrate ISO 27001 certification by their customers.
Government contracts and defense-adjacent work also tend to prefer or require ISO 27001 for international operations.
Control overlap: what you build for one helps with the other
ISO 27001 and SOC 2 share roughly 70–80% of underlying control requirements. Access control, change management, incident response, risk assessment, vendor management, encryption, logging, and security awareness training are central to both frameworks. If you build these controls well for one framework, most of the technical implementation work carries over.
What doesn't transfer cleanly:
- ISMS documentation: ISO 27001's mandatory management system — risk methodology, Statement of Applicability, management reviews, internal audits — isn't required for SOC 2. If you've done SOC 2 first, you'll need to build this ISMS layer for ISO 27001.
- Report format: SOC 2 reports describe your specific controls in narrative form. ISO 27001 auditors verify your ISMS against the standard's clauses. The evidence you collect overlaps significantly, but how it's documented and presented differs.
- Observation period: SOC 2 Type 2 requires operating evidence over 6+ months. ISO 27001 Stage 2 audits can happen as soon as your ISMS is implemented and documented — though auditors will look for evidence that processes are actually running.
Organizations pursuing both ISO 27001 and SOC 2 save significant time by running parallel implementations. Shared evidence collection (access review records, vulnerability scan results, training completion logs, change management tickets) satisfies requirements for both frameworks simultaneously. Compliance platforms like Drata and Vanta are built specifically to support multi-framework evidence collection — so you're not duplicating effort for each audit.
Which one should you do first?
This comes down to where your next deals are coming from.
Start with SOC 2 if:
- Your primary market is US enterprise or mid-market SaaS
- You're getting stuck in procurement security reviews
- Prospects are asking for your SOC 2 report directly
- You want flexibility — SOC 2's principles-based approach is more forgiving for early-stage companies
- You need something in 6-12 months (Type 2 observation period)
Start with ISO 27001 if:
- Your customer base is primarily European or you're selling to NIS2-regulated supply chains
- You're pursuing government contracts or regulated industry partnerships internationally
- You want a public, verifiable certification rather than a confidential report
- You want the ISMS framework as a foundation for your security program long-term
- You're planning to pursue ISO 27001 anyway and want to build that foundation first
When the answer is both
If you're scaling into both US and EU enterprise markets — which describes most growth-stage SaaS companies — you'll eventually need both. The question is sequencing. Most US-founded companies do SOC 2 first because US deals are usually faster and the framework is more familiar to the team. They layer in ISO 27001 once they hit EU expansion or start losing European procurement evaluations.
The second framework is measurably less work. Your controls are already built. Your vendor management program exists. Your incident response process is documented. What you're adding is framework-specific documentation and the new audit process — not rebuilding your security program from scratch.
What both frameworks actually require from your policies
Whatever you choose, both ISO 27001 and SOC 2 will scrutinize your written policies. Stage 1 ISO 27001 audits and the opening phases of SOC 2 audits both involve documentation review — and gaps in policies translate directly to findings.
The areas that generate the most findings across both frameworks:
- Access control policy: How privileged access is granted, reviewed, and revoked. Both frameworks want evidence of actual access reviews, not just a policy saying reviews happen.
- Vendor management: Security requirements in supplier contracts. Most organizations have supplier agreements that don't include specific security clauses or incident notification obligations — a gap that shows up as a finding under both ISO 27001 A.5.19 and SOC 2 vendor management criteria.
- Incident response: A documented, tested response plan. Both frameworks want records of incidents handled, not just a plan that's never been exercised.
- Risk assessment: ISO 27001 requires a formal risk assessment methodology with documented risk treatment decisions. SOC 2 is less prescriptive, but auditors still expect to see how your organization identifies and responds to relevant risks.
Find your policy gaps before the auditor does
PolicyAudit analyzes your security policies against ISO 27001:2022 and SOC 2 Trust Service Criteria — flagging gaps, missing sections, and language that wouldn't satisfy an audit. Free tier available, no credit card required.
Scan your policies for free →Cost reality check
Neither framework is cheap, and the audit fees are only part of it. Here's where money actually goes:
| Cost category | ISO 27001 | SOC 2 Type 2 |
|---|---|---|
| Initial audit fee | $15,000–$50,000 | $15,000–$60,000 |
| Compliance platform (optional) | $10,000–$20,000/yr | $15,000–$30,000/yr |
| Internal staff time | High — ISMS build and ongoing management | Moderate — evidence collection |
| Consultant (if used) | $20,000–$50,000 for ISMS build | $10,000–$30,000 for readiness |
| Annual renewal cost | $5,000–$15,000 (surveillance audit) | $10,000–$30,000 (annual Type 2) |
A rough reality: expect to spend $50,000–$150,000 for the first year of either framework if you're building from a standing start, including internal staff time. Organizations with existing security programs and compliance tooling can do it for less. Organizations with nothing documented spend more.
Run a gap assessment before you commit audit budget. An auditor showing up to a poorly documented environment will find issues during the audit itself — which is both expensive and embarrassing. Know where your gaps are first, fix them, then schedule the audit. PolicyAudit's free scan gives you a clear picture of which policy areas are thin before you start the formal audit process.