Every B2B vendor selling to enterprise eventually faces the same question from their first big customer: “do you have SOC 2 or ISO 27001?” The honest answer for most early-stage companies is “neither, but we’d like to,” and the next conversation — usually with a consulting firm — quickly turns into a sales pitch wrapped in compliance terminology. The result is a generation of decision-makers who pick SOC 2 because their competitor has SOC 2, or ISO 27001 because their consultant happened to specialise in it, without a clear understanding of what each actually attests, what the audit will require, and what their customers will actually accept. After working through this decision across many compliance consulting engagements, the honest comparison is more useful than either side’s marketing — and reveals when the right answer is “both,” when it’s “one first,” and when it’s “neither yet.”
What each one actually attests
The frequently-confused starting point: SOC 2 and ISO 27001 are different categories of thing. They are often grouped together in vendor security questionnaires, but they’re built on different foundations and answer different questions.
SOC 2 — an attestation report
SOC 2 is an attestation report issued by a CPA firm under American Institute of Certified Public Accountants (AICPA) standards. It evaluates a service organisation’s controls against the Trust Services Criteria — Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. There are two report types:
- SOC 2 Type I: a point-in-time assessment that controls are designed appropriately. A snapshot.
- SOC 2 Type II: an evaluation over a period (typically 6 to 12 months) that controls are designed appropriately AND operating effectively. A track record.
Customers almost always want Type II. Type I is sometimes accepted as a stepping stone but rarely as a final answer.
The output is a report, not a certificate. The report contains the auditor’s opinion (clean / qualified / adverse), the description of the service organisation’s system, the controls in place, and the auditor’s tests of those controls — including any exceptions found.
ISO 27001 — a certification
ISO 27001 is an international standard for Information Security Management Systems (ISMS), maintained by ISO and IEC. The standard prescribes a management framework: a defined ISMS scope, risk assessment methodology, statement of applicability, internal audit programme, management review cycle, and continuous improvement loop. The 2022 revision introduced 93 controls organised into four themes (Organisational, People, Physical, Technological).
The output is a certificate issued by an accredited certification body, valid for three years, with annual surveillance audits.
Where SOC 2 attests “these controls existed and worked,” ISO 27001 certifies “this organisation has a functioning system for continuously managing information security.” The distinction sounds semantic but shows up everywhere in scope, evidence, and ongoing burden.
Scope difference that matters most
The scope distinction is the single most underestimated difference, and the one that catches teams off guard mid-audit.
SOC 2 scope: the service in scope
SOC 2 evaluates the controls relevant to a specific service the organisation provides to its customers. The scope is the service — usually the SaaS product, its supporting infrastructure, and the operational processes that deliver it. Internal-only systems, separate product lines, or business operations unrelated to the service can be excluded from scope.
This makes SOC 2 easier to scope tightly for early-stage SaaS companies. The audit covers the production environment that customers actually use; the corporate IT, internal CRM, and other systems can be excluded as “out of scope.”
ISO 27001 scope: the ISMS in scope
ISO 27001 evaluates an ISMS covering whatever the organisation declares the scope to be. The scope is the management system — and the standard’s expectation is that the scope includes “the boundaries and applicability of the ISMS within the organisation.”
In practice, ISO 27001 scopes tend to be broader. While you can technically certify “the engineering team’s information security management for product X,” certification bodies push back hard on scopes that exclude obvious internal systems like email, HR data, or finance systems. A common rule of thumb: ISO 27001 scope usually covers the whole organisation, while SOC 2 scope covers only the customer-facing service.
This is why two companies of the same size will frequently report wildly different effort levels for the two audits. SOC 2 lets you fence off the audit; ISO 27001 expects the management system to permeate the organisation.
Audit process side-by-side
| Stage | SOC 2 Type II | ISO 27001 |
|---|---|---|
| Pre-audit | Gap assessment by consultant or auditor; remediation; readiness assessment | Gap assessment; ISMS scoping; risk assessment; SoA preparation |
| Observation/cert period | 6 to 12 months of operation under controls | Minimum 3 months of ISMS operation (records of audits, reviews, incidents) |
| Stage 1 (ISO only) | N/A | Documentation review — auditor checks ISMS scope, SoA, policies, risk register |
| Audit fieldwork | Auditor tests controls — interviews, evidence sampling, walk-throughs | Stage 2 — auditor tests control effectiveness via interviews + records |
| Report/certificate issued | Report with opinion within 60-90 days of fieldwork end | Certificate within 30-60 days of Stage 2 |
| Validity | Report covers the observation period; new report each cycle | Certificate valid 3 years |
| Maintenance | New Type II annually for next observation period | Annual surveillance audits (lighter than initial) + recertification at year 3 |
The cadence difference is significant. SOC 2 requires a fresh full audit every year. ISO 27001’s surveillance audits are materially lighter than the initial certification — typically 30-50% of the effort of the initial Stage 2 — making the ongoing burden lower after year one.
Real costs in 2026
Two cost categories matter: audit fees paid to the auditor, and internal effort.
| Cost category | SOC 2 Type II | ISO 27001 |
|---|---|---|
| Auditor fees (year 1) | $20,000 – $80,000 USD depending on scope, criteria included, and firm | $15,000 – $60,000 USD depending on certification body, scope, and number of locations |
| Auditor fees (years 2+) | Similar to year 1 — annual fresh audit | Surveillance audits ~30-50% of initial; recertification at year 3 ~70-80% |
| Internal effort (year 1) | 600 – 2,000 person-hours depending on company size and existing maturity | 800 – 3,000 person-hours; broader scope drives more hours |
| Internal effort (years 2+) | 300 – 1,000 person-hours per year | 200 – 800 person-hours per year (lighter surveillance) |
| Tooling / GRC platform | Often $5,000 – $30,000/year if using Drata, Vanta, Secureframe, etc. | Same; most GRC tools cover both |
| Consultant / fractional CISO | Optional but common for first cycle: $20,000 – $80,000 | Same range; often slightly higher because of the ISMS framework setup |
The headline pattern: SOC 2 is roughly comparable to ISO 27001 in year-one cost. ISO 27001 is materially cheaper in years 2-3 because of the surveillance audit cadence. Across three years, ISO 27001 typically costs 20-30% less than three consecutive SOC 2 Type II reports for the same organisation.
The numbers vary by region, by auditor reputation, and by firm. The general shape is consistent across markets.
Evidence burden — what they ask for
The day-to-day evidence collection effort is similar in volume but different in kind.
SOC 2 evidence pattern
SOC 2 auditors sample. For each control, they pick a small set of items from the observation period (typically 5-25 samples depending on population size) and verify the control was applied. Common samples:
- 25 production changes from the year, with evidence each went through code review, automated testing, and CAB approval
- 10 access provisioning events, with evidence each had documented approval and was granted within the policy SLA
- 15 alerts from the SOC tooling, with evidence each was triaged and resolved within SLA
- 5 quarterly access reviews, with evidence each was completed and any exceptions remediated
The mental model is “show me a sample of times you did the thing, prove you did it correctly.”
ISO 27001 evidence pattern
ISO 27001 auditors verify the system. They want to see the policy that defines the control, the procedure that operationalises it, the records that show the procedure ran, and the audit trail that shows internal review caught any deviations. Common evidence:
- The risk register, with each risk’s assessment, treatment plan, residual rating, and ownership
- The Statement of Applicability, justifying inclusion or exclusion of each of the 93 controls
- Internal audit reports from the past year, including findings, corrective actions, and verification
- Management review minutes documenting decisions about the ISMS
- Incident records with root cause analysis and corrective action tracking
- Metrics on ISMS performance (training completion rates, vulnerability remediation SLAs, incident counts)
The mental model is “show me your management system, walk me through how it learns and improves.”
The implication for tooling: SOC 2 fits cleanly into evidence-collection GRC tools like Vanta, Drata, or Secureframe — these tools automate sampling. ISO 27001 fits less cleanly because the auditor wants narrative context the GRC tool can’t generate. Most companies using these GRC platforms still produce ISO-specific documentation manually.
Customer perception by market
The question buyers care most about: which certification will my customers actually want?
US enterprise buyers
SOC 2 is the default expectation. Most US-based enterprise procurement processes include “do you have SOC 2 Type II?” as a yes/no in the vendor security questionnaire. ISO 27001 is accepted as additional credibility but doesn’t replace the SOC 2 ask for many US enterprises.
The exception is large multinationals where the procurement team is European-anchored — they often accept ISO 27001 in lieu of SOC 2. Outside that exception, US enterprise sales conversations consistently centre on SOC 2.
European enterprise buyers
ISO 27001 is the default expectation. European enterprises and government buyers (especially in DACH, Nordics, and France) treat ISO 27001 as a baseline of credibility, often with additional sector-specific certifications layered on top. SOC 2 is increasingly accepted as additional context but is not yet a replacement.
The exception: US tech subsidiaries operating in Europe sometimes accept SOC 2 as sufficient because the parent company has standardised on it.
APAC and emerging markets
The picture is mixed. ISO 27001 has stronger historical traction in Japan, Australia, Singapore, and India — partly because ISO standards generally have broader uptake in these markets. SOC 2 is gaining ground rapidly, driven by SaaS vendors selling globally. Many enterprise buyers in this region now accept either.
For a globally-selling SaaS, the realistic answer is that within 3-4 years you’ll need both. The sequencing question is which to do first, and that’s driven by where your highest-priority customers are.
Maintenance burden after certification
The post-certification burden is often underestimated and is the single largest difference in lifetime cost.
SOC 2 maintenance
Every year, a fresh observation period and a fresh audit. Every year, full sample collection, full auditor coordination, full report production. Controls don’t significantly change between years unless the organisation does — but the audit work essentially repeats.
The corollary: process discipline matters because every year’s audit will sample fresh events. If access reviews didn’t happen this year, the auditor will find that out next year and the report will reflect it.
ISO 27001 maintenance
The certificate is valid for three years. Surveillance audits in year 1 and year 2 are lighter — auditors check that the ISMS is still functioning, the risk register has been updated, internal audits have happened, management review meets the standard’s cadence. Recertification at year 3 is more thorough but typically still less work than a SOC 2 Type II audit.
The corollary: the ISMS has to actually function. Companies that “got certified” and let the ISMS atrophy between audits get caught at surveillance audits and risk certificate suspension. The standard rewards organisations that genuinely run the management system, not just produce evidence on demand.
Mapping overlap — what carries over between them
For organisations doing both, the overlap is significant but not as high as some vendors claim.
| Control area | SOC 2 (Trust Services Criteria) | ISO 27001 (Annex A 2022) | Overlap |
|---|---|---|---|
| Access control | CC6.x | A.5.15, A.5.16, A.5.17, A.5.18, A.8.2, A.8.3, A.8.5 | ~80% |
| Change management | CC8.1 | A.8.32 | ~90% |
| Vulnerability management | CC7.1 | A.8.8 | ~85% |
| Incident response | CC7.2, CC7.3, CC7.4 | A.5.24, A.5.25, A.5.26, A.5.27 | ~85% |
| Risk assessment | CC3.x | A.5.1, A.5.4 (clauses 6.1, 6.2 in main standard) | ~50% — ISO is more prescriptive on methodology |
| Vendor management | CC9.x | A.5.19, A.5.20, A.5.21, A.5.22 | ~70% |
| Encryption | CC6.7, CC6.8 | A.8.24 | ~90% |
| Physical security | CC6.4 | A.7.x | ~80% |
| Business continuity | A1.x | A.5.29, A.5.30, A.8.13, A.8.14 | ~70% |
| Internal audit | Not directly required | Clause 9.2 | ~30% — SOC 2 has no equivalent |
| Management review | Implied via governance | Clause 9.3 | ~30% — SOC 2 has no equivalent |
| Statement of Applicability | Not required | Required | 0% |
The takeaway: most operational controls carry over. The ISMS-specific clauses (internal audit, management review, statement of applicability, risk methodology) are the ISO-only work and represent the bulk of incremental effort.
For organisations doing SOC 2 first then ISO 27001, expect roughly 60-70% of the controls work to carry over but the ISMS framework to require its own dedicated effort.
When to do SOC 2 first
SOC 2 first is the right call when:
- Your primary buyers are US enterprises and you need to unblock sales within 12 months
- You’re an early-stage SaaS with a tight scope (single product, modest cloud footprint) and want to minimise initial effort
- Your engineering team is small and you can’t sustain the management-system overhead of ISO 27001 yet
- You’d benefit from the GRC platform automation (Drata, Vanta, Secureframe) which is more mature for SOC 2 evidence collection
- You expect to add ISO 27001 within 18-24 months and want the operational controls foundation in place first
When to do ISO 27001 first
ISO 27001 first is the right call when:
- Your primary buyers are European, government, or regulated APAC enterprises
- Your organisation is larger and the broader scope is unavoidable anyway
- You want a certificate (a single piece of paper) rather than a report (a long document)
- You’re optimising for three-year total cost of ownership rather than year-one effort
- You operate in a sector where ISO 27001 is the bar (financial services, healthcare in some jurisdictions, public sector)
- You already have a functioning ISMS in practice and just need to formalise it
For deeper context, our complete ISO 27001 certification guide walks through the ISMS setup in practice.
When to do both
Both is the right call when:
- You sell globally to enterprise — within 3-4 years you’ll need both anyway, sequence them
- You have a single buyer demand for one and a strategic mid-term demand for the other
- You can afford 12-18 months of staggered effort across two cycles
- Your team has the operational discipline to maintain both annually
The most common sequencing: SOC 2 in year 1, ISO 27001 in year 2 with significant control reuse, then annual SOC 2 + annual ISO surveillance from year 3 onward. This pattern is documented in detail in our compliance overview combining ISO 27001, SOC 2, and GDPR.
Pitfalls common to both
A few patterns trip up nearly every first-time audit:
- Treating it as a one-time project. Both audits expect the controls to operate continuously. Building a sprint of evidence to pass the audit, then letting controls lapse, gets caught fast and damages auditor relationships.
- Over-relying on GRC platforms. Drata, Vanta, and Secureframe accelerate evidence collection but cannot substitute for actually running the security program. Audit findings increasingly cite “evidence collected but control activity not actually performed.”
- Skipping the risk assessment. Both standards expect risk-informed control decisions. Teams that bolt controls onto operations without a current risk assessment get pushed back by auditors.
- Excluding executives. Both standards (especially ISO 27001) require demonstrable executive engagement — management review minutes, leadership sign-off on risk acceptance, board-level oversight. Audits that find a security program with no executive engagement get qualified opinions.
- Inadequate vendor management. Third-party risk management is a 2026 audit hotspot for both standards. Vendor inventories with no risk classification, no annual review, and no security questionnaire on file produce material findings.
The organisations that pass cleanly on first attempt are not the ones with the most controls — they’re the ones whose security program was already functioning before they started the audit. A useful pre-audit exercise is a cloud security assessment to surface gaps without the audit pressure.
The honest recommendation
After threading this decision across many engagements:
- Identify the buyer demand. If your top-3 enterprise prospects are US, lead with SOC 2. If European or regulated APAC, lead with ISO 27001. Without buyer demand, neither is worth doing yet.
- Resource the program before contracting the auditor. A pre-audit gap assessment with a clear remediation roadmap is the highest-leverage spend. Hiring the auditor before the team is ready guarantees a painful first cycle.
- Choose the GRC platform carefully. For SOC 2-only, the platform handles 60-70% of the evidence work. For ISO 27001, the platform handles 30-40% — the rest is genuine ISMS work that no SaaS tool can automate.
- Sequence both when both are inevitable. Most globally-selling SaaS will need both within 3-4 years. Plan for it; don’t react to it after losing a deal.
- Don’t treat the certificate as the goal. The certificate is a side effect of a security program operating well. Organisations that build the program first and certify second pass cleanly; the inverse generates the post-certification incident stories.
The argument was never SOC 2 versus ISO 27001. It’s which one your customers want now, which one your business will need in two years, and how you sequence the work so the security program leading to both is actually functioning before the auditor walks in.