SOC 2 vs ISO 27001: which security certification does your business need?

What each certification actually is

SOC 2 is an AICPA attestation standard – not a certification in the traditional sense. An independent auditor produces a report assessing your controls against the Trust Services Criteria, which cover five categories: security, availability, processing integrity, confidentiality and privacy. Security is the only mandatory category; the others are included based on what's relevant to your service.

There are two report types. A Type I report evaluates the design of your controls at a single point in time: are they described correctly and does the auditor believe they'd work if implemented as stated? A Type II report covers operating effectiveness over a period – typically six to twelve months – and tests whether your controls actually functioned as described throughout that window. Type II is what most enterprise customers require because it demonstrates sustained operation, not just good intentions at audit time.

ISO 27001 is a formal international certification standard. An accredited certification body audits your Information Security Management System (ISMS) against the standard's requirements. Pass, and you receive a certificate with your organisation's name on it. Annual surveillance audits maintain the certification between three-year recertification cycles.

The fundamental difference: SOC 2 produces an audit report that you share with customers under NDA. ISO 27001 produces a certificate that you can display publicly. One is a document you distribute; the other is a credential you hold.

Who asks for each

SOC 2 is predominantly a US requirement. US enterprise procurement teams, investors conducting due diligence and regulated sectors including healthcare and financial services routinely require a SOC 2 Type II report before contracting with technology vendors. If your sales pipeline is US enterprise, you'll encounter this ask repeatedly.

ISO 27001 is the global standard. UK and European enterprise customers typically ask for ISO 27001 as a baseline supplier requirement. Middle Eastern and APAC enterprise procurement teams ask for ISO 27001. US customers with European operations or subsidiaries increasingly accept either, though the asking question in a US-originated RFP is usually SOC 2.

The practical answer is straightforward: if your customer base is US-only, SOC 2 Type II is what they'll ask for. If you have or want European customers, ISO 27001 is what they expect. If you operate across both markets, you'll need both eventually – the question is sequencing, not whether.

The EU angle: US businesses with European customers

GDPR creates specific obligations for US businesses processing European personal data, including obligations under Article 32 to implement "appropriate technical and organisational measures" to protect that data. ISO 27001 certification is widely accepted by EU data protection authorities and enterprise procurement teams as substantive evidence that those measures are in place.

SOC 2 is not. It's recognised in the US as a rigorous standard, but it wasn't designed to map to GDPR and EU regulators don't treat it as equivalent to ISO 27001 for the purposes of Article 32 compliance. US businesses selling into EU markets – or managing EU employee or customer data – face a real compliance gap if they hold SOC 2 but not ISO 27001.

This matters most for SaaS companies with European revenue, managed service providers handling EU client data and professional services firms with UK or European engagements. Holding SOC 2 alone doesn't close the GDPR question; it just addresses the US customer question.

What each framework actually requires you to do

For SOC 2, the process starts with defining which Trust Services Criteria apply to your service. You then design and implement controls that satisfy those criteria – the standard doesn't prescribe specific controls, so you have flexibility in how you meet the requirements. An auditor runs fieldwork, tests your controls and produces the report. For a Type II audit, there's an observation period before the audit begins, during which your controls need to operate consistently.

The flexibility is real but the audit fees are significant. SOC 2 audits are expensive relative to ISO 27001 certification costs, particularly for Type II, and the cost scales with the complexity of your environment and the number of criteria in scope.

For ISO 27001, you need to build an ISMS: a documented set of policies, a risk assessment process, a statement of applicability that maps your controls to the standard's Annex A, and implemented controls across the areas you've declared in scope. An accredited certification body then carries out a two-stage audit – a documentation review followed by an on-site assessment – and certifies your ISMS if it meets the standard.

ISO 27001 is more prescriptive in its process requirements. The ISMS framework, the risk assessment methodology, the management review process – these are all required elements with defined criteria. SOC 2 gives you more freedom in how you design controls; ISO 27001 is more explicit about what your management system needs to look like.

Pursuing both: when it makes sense and how to reduce duplication

For businesses with US and European customers, the question is usually when to pursue both, not whether to. The good news is that there's significant control overlap between SOC 2 and ISO 27001. Access control, incident management, change management, encryption, business continuity – these appear in both frameworks, and controls designed to satisfy one will generally satisfy the other with minimal adaptation.

Building ISO 27001 first and then layering SOC 2 on top is more efficient than the reverse. An ISO 27001 ISMS, properly implemented, covers the majority of the SOC 2 Trust Services Criteria. The incremental work to achieve SOC 2 from an ISO 27001 baseline is considerably less than starting fresh.

Combined readiness programmes that map controls to both frameworks simultaneously reduce total effort by roughly a third compared to sequential implementations. The investment in doing it properly the first time – building controls that are explicitly mapped to both standards – pays back in reduced audit preparation time and a faster path to the second certification.

What doesn't reduce is the audit cost. SOC 2 auditors and ISO 27001 certification bodies are separate engagements, and both require ongoing audit activity. Factor in annual SOC 2 Type II audits and ISO 27001 surveillance audits as a recurring operational cost, not a one-off project.

Where to start

The starting point is your customer base and your pipeline. Who's asking for what today? Who do you want to sell to in the next eighteen months?

If the answer is US enterprise, start with SOC 2 Type II. That's what you'll be asked for in procurement, and it's what your prospective customers understand. Getting to Type II takes time – you need the observation period plus the audit – so the earlier you start building the control environment, the better.

If the answer is European enterprise, start with ISO 27001. It's what your customers expect and it satisfies the GDPR Article 32 question. It's also the more internationally portable choice – ISO 27001 is recognised in more markets than SOC 2.

If the answer is both, plan for both and build ISO 27001 first. The ISMS foundation it creates is the more efficient base to build from. SOC 2 can layer on top with far less duplicated effort than the other way around.

If neither is currently blocking sales but you're growing into enterprise, ISO 27001 is the right default. It's the globally recognised standard, it creates a documented security management system that supports other compliance requirements and it's the more defensible starting point for a business that doesn't yet know which markets it'll prioritise.