Do we need ISO 27001 or SOC 2? (Yes.)

Somewhere right now, a founder is staring at two acronyms like they are choosing a tattoo. ISO 27001 or SOC 2. One of them is going to define the company forever, the stakes feel enormous, and the internet has confidently told them six contradictory things before lunch.

Good news: it is not a tattoo. It is barely even a haircut. And the decision is far less philosophical than the LinkedIn thought-leaders make it sound. Let us settle it.

The short answer nobody wants to hear

You do not pick a framework. Your buyer picks it for you, usually in a procurement email, usually with a deadline that has already passed.

The single most reliable way to decide between ISO 27001 and SOC 2 is to read the security questionnaire that is currently blocking your biggest deal and notice which acronym appears in it. That is your framework. Congratulations, the agonising is over, you can close the seventeen browser tabs.

Right, but what actually are they?

Before the holy war continues, a quick reality check — because half the arguments online are people confidently comparing two things they have slightly misunderstood.

SOC 2 is a report, not a certificate

SOC 2 is an attestation produced by a licensed CPA firm in the US, against the AICPA Trust Services Criteria (Security, plus optionally Availability, Confidentiality, Processing Integrity, and Privacy). The deliverable is a report — a PDF, often 60+ pages — that you hand to a prospect under NDA so their security team can read how your auditor judged your controls.

It comes in two flavours. Type I says "these controls were designed correctly on one specific day" — the compliance equivalent of a tidy bedroom because your parents are visiting. Type II says "these controls actually operated over a 3-to-12-month window" — the bedroom was tidy for a whole year, which is the one buyers actually trust.

ISO 27001 is an actual certification

ISO/IEC 27001 is an international standard. An accredited certification body audits your Information Security Management System (ISMS) and, if you pass, issues a certificate — a real one, the kind you can frame, valid for three years with surveillance audits along the way to make sure you did not get sloppy in month four.

The catch, and the bit founders underestimate: ISO 27001 is a management system, not a checklist. It wants a Statement of Applicability, risk assessments, management reviews, internal audits — the machinery of a company that runs security on purpose rather than by vibes. The Annex A controls (93 of them in the 2022 version) are almost the easy part.

So which one? Follow the money (and the map)

Here is the decision tree, minus the foliage:

• Selling to US enterprises and mid-market SaaS buyers? They will ask for SOC 2. It is the native language of US vendor-security teams. Start there.
• Selling into the UK, EU, the Middle East, APAC, or anywhere that runs a formal tender? ISO 27001 is the lingua franca. Government and enterprise procurement there often list it as a hard requirement, not a nice-to-have.
• Selling to regulated industries (health, finance, critical infrastructure)? You will likely need framework-specific things on top (HIPAA, PCI DSS, NIS2, DORA) — but ISO 27001 or SOC 2 is usually the foundation everyone wants underneath.
• Selling to other startups who have never sent a security questionnaire in their life? You may need neither yet. Breathe.

Notice the pattern: it is geography plus buyer, not personal preference. Nobody has ever won a deal because they chose the more spiritually fulfilling framework.

The question you should actually be asking: do we need either yet?

Here is the assertive bit, and we will say it plainly because somebody has to: a depressing number of early-stage teams burn three months and a small fortune getting compliant for customers who do not exist yet.

Compliance is a sales unlock, not a personality trait. If no prospect has asked, no deal is blocked, and no regulator has your address, then the correct framework this quarter might be "ship the product and talk to users." A SOC 2 report for a company with four customers is a beautifully bound document that proves you can follow instructions. It is not traction.

“Get compliant the day it costs you a deal not to be — not the day a blog post made you anxious. (Yes, we are aware this is a blog post. We contain multitudes.)”

The honest trigger to start is one of: a real prospect has asked, a contract requires it, a regulation applies to you, or you can see all three coming in the next two quarters. Any of those? Go. None of those? Put it on the roadmap and get back to work.

The plot twist: it was "both" the whole time

Here is what the "ISO vs SOC 2" framing gets wrong. It is not a fork in the road. It is a "which one first" question, because growing companies that sell internationally almost always end up wanting both — the US deals want the SOC 2 report, the European tenders want the ISO certificate, and now you are running two programmes.

The part that should make you feel better: they are not two separate mountains. SOC 2 and ISO 27001 share a huge amount of their underlying control DNA — access control, change management, encryption, incident response, vendor risk, logging. Estimates vary, but a large majority of the evidence you collect for one is reusable for the other. Do an access review once; it satisfies both. Write an incident response policy once; both frameworks nod approvingly.

The mistake is treating them as two from-scratch projects, collecting the same access-review log three times into three different tools, for three different auditors, like some kind of compliance Groundhog Day. Collect evidence once, map it across every framework it satisfies, and the second framework costs a fraction of the first. (This, as it happens, is the entire reason Raize Orion exists — one evidence base, cross-mapped across ten frameworks, so adding SOC 2 after ISO 27001 is not a second mountain. But we would tell you to stop duplicating evidence even if we sold nothing.)

The 30-second decision

1. Which framework is named in the deal currently blocking you? Do that one first. Done.
2. No deal blocked, but you know who you sell to? US-heavy → SOC 2 Type I now, Type II as you mature. EU/UK/international → ISO 27001.
3. Genuinely no buyer asking and no regulation applies? Neither yet. Revisit when a prospect raises it — and they will, the moment a deal gets big enough to have a security team attached.
4. Either way: build the programme so the second framework reuses the first. Future-you, mid-ISO-audit with a SOC 2 deadline looming, will weep with gratitude.

So: do you need ISO 27001 or SOC 2? Yes. Probably the one your customer is asking for, probably the other one eventually, and definitely not whichever one a stranger on the internet was most passionate about. Now go read that security questionnaire — the answer has been sitting in your inbox the whole time.