Compliance · 2026-07-03

SOC 2 vs ISO 27001: which one do you actually need?

SOC 2 and ISO 27001 are the two security frameworks a B2B company is most likely to be asked for, and the question of which to pursue first wastes more leadership time than almost any other compliance decision. The short version: the frameworks overlap heavily in substance and differ mainly in audit model and audience. Decide based on who is asking, then build one control set that serves both.

What each framework actually is

SOC 2 is an attestation, not a certification. A CPA firm examines your controls against the AICPA Trust Services Criteria - Security is mandatory; Availability, Confidentiality, Processing Integrity and Privacy are optional - and issues a report. A Type I report covers control design at a point in time; a Type II report covers operating effectiveness over an observation window, typically 3-12 months. Buyers read the report itself, including exceptions.

ISO/IEC 27001 is a certification standard for an information security management system (ISMS). An accredited certification body audits your ISMS - including the applicable Annex A controls of ISO 27001:2022 - and issues a certificate on a three-year cycle with annual surveillance audits. Buyers usually see only the certificate and the statement of applicability.

Where they differ in practice

The substance - access control, change management, monitoring, incident response, vendor management, business continuity - is largely the same set of controls under different labels. The differences that matter are commercial and structural.

  • Audience: SOC 2 dominates US enterprise procurement; ISO 27001 carries more weight in Europe, with regulated buyers and in public tenders.
  • Output: SOC 2 produces a detailed report your customer reads under NDA; ISO 27001 produces a certificate you can show anyone.
  • Model: SOC 2 re-examines controls every period; ISO 27001 certifies the management system that runs the controls.
  • Flexibility: SOC 2 lets you scope trust criteria per report; ISO 27001 scoping happens in the ISMS boundary and statement of applicability.

How to decide in one meeting

List your live deals and target market. If the blockers are US enterprise security questionnaires, SOC 2 Type II unblocks revenue fastest: many US buyers will not accept ISO 27001 as a substitute. If your buyers are European banks, insurers or public-sector entities, ISO 27001 is usually the expected baseline, and DORA or outsourcing regulation may make your customers ask for it explicitly.

If both markets matter, start with the one your next twelve months of revenue depends on, but design the control set for both from day one. The marginal cost of the second framework on a shared control set is far lower than two separate programmes.

Cost and timeline: what actually drives both

Neither framework has a fixed price, but the drivers are predictable. Audit fees scale with scope (number of systems, locations, trust criteria or Annex A controls in play), organisational complexity and how much remediation the readiness phase uncovers. The larger cost is almost always internal: engineering time to close gaps, write policies people will actually follow, and produce evidence. Budget the readiness phase as the project and the audit as its checkpoint.

On timelines: a SOC 2 Type I is typically reachable within a few months of serious readiness work; the Type II then requires its observation window on top. ISO 27001 usually takes longer end-to-end because the ISMS - risk assessment, statement of applicability, internal audit, management review - must exist and have operated before the certification audit. Both are recurring commitments: SOC 2 re-audits every period, ISO 27001 has annual surveillance audits. Whatever you build must be sustainable by the team you actually have.

What auditors actually ask a cloud team for

Across both frameworks, the requests that land on a cloud or platform team are remarkably consistent. If the following exist and are generated by the infrastructure rather than assembled by hand, both audits get dramatically cheaper:

  • Access reviews: who has admin in each cloud account, when it was last reviewed, and evidence that leavers lose access on schedule.
  • Change management: pull-request history showing review and approval before production changes. IaC makes this nearly free.
  • Logging and monitoring: central audit logs, alerting on security-relevant events, and a documented response path.
  • Backup and recovery: restore tests with dated evidence rather than backup-job screenshots.
  • Vendor management: a current list of sub-processors and cloud services with owner, purpose and data classification.
  • Incident records: post-incident notes for anything significant, showing detection, response and follow-up.

The shared-control-set approach

Whichever you start with, build controls once and map them to both frameworks: one access-review process, one change-management pipeline, one incident runbook, one vendor register, each mapped to Trust Services Criteria and Annex A. In the cloud, most of this evidence can be generated from infrastructure itself: IaC review gates, IAM access reviews, centralized logs, automated backup-restore tests.

This is also where readiness work pays off. Getting the cloud estate to a state where evidence is produced continuously - rather than assembled in a panic before each audit window - is most of the real cost, and it is reusable across SOC 2, ISO 27001 and DORA alike.

Cloud security & compliance readiness

FAQ

Can we do SOC 2 and ISO 27001 at the same time?

Yes, and on a shared control set it is often efficient, but expect two audit processes with different rhythms. Most teams stagger them by a quarter or two so the same people are not serving two audits in the same month.

Do we need a Type II report immediately?

Usually a Type I first is the pragmatic path: it proves design quickly, and the Type II observation window starts running afterwards. Some buyers accept Type I plus a Type II commitment date.