Fortinetics
← Insights · SOC2 · · 9 min read

SOC 2 vs ISO 27001: which to pursue first, when to pursue both

SOC 2 and ISO 27001 are the two most common commercial compliance frameworks, and most SaaS companies will eventually need both. The decision about which to tackle first — and whether to run them in sequence or in parallel — depends on your customer mix, geography, and existing controls. A practitioner's decision framework.

Every B2B SaaS company above a certain scale eventually gets one of two emails from its largest customer: “we need your SOC 2 Type II report” or “we need your ISO 27001 certificate.” The companies that have been through this before know the question that matters is never which one the customer asked for today — it is which one the next three customers will ask for, and whether the program should be designed for both from the start.

This article is for the head-of-security, CTO, or GRC lead trying to decide between SOC 2 and ISO 27001 — or, more commonly, trying to decide which to pursue first and when to add the second. The guidance below reflects what we actually run in our SOC 2 and ISO 27001 engagements, including the cross-framework cases that account for a growing share of both practices.

The short answer

  • Primarily U.S. customers, primarily enterprise SaaS → SOC 2 Type II first. This is the dominant case.
  • Primarily European or international customers → ISO 27001:2022 first. SOC 2 can be added later if U.S. enterprise customers demand it.
  • Mixed customer base, regulated industries (healthcare, finance) → usually both, eventually. Sequence SOC 2 first if U.S.-heavy, ISO 27001 first if Europe-heavy, then add the second.
  • Federal or DoD customers → neither. You need FedRAMP, and possibly DoD Impact Level authorization, which is a different track entirely. See our FedRAMP practice.

Most of the rest of this article walks through the specifics.

What the two frameworks actually are

Both are “security posture proofs” that companies present to their customers, but they are structurally different.

SOC 2 is an AICPA attestation framework — an accounting profession standard. A CPA firm audits your controls against the AICPA Trust Services Criteria and issues a report (Type I or Type II). The Type II report describes both the design of controls and their operating effectiveness over an observation window (typically three, six, or twelve months). The report is issued to you; you share it with customers under NDA.

ISO 27001 is an international management-system standard from ISO/IEC. An accredited certification body audits your Information Security Management System (ISMS) against ISO/IEC 27001:2022 requirements and, if compliant, issues a certificate that’s publicly verifiable. The certificate is valid for three years with annual surveillance audits.

Two structural differences that matter:

  1. SOC 2 is about controls as described in your auditor’s report; ISO 27001 is about an operating management system. SOC 2 asks “did these specific controls operate effectively.” ISO 27001 asks “does your organization have a running management system that continuously identifies, treats, and monitors information security risks.”

  2. SOC 2 is U.S.-grown and U.S.-dominant; ISO 27001 is international. In the U.S., most enterprise B2B SaaS contracts reference SOC 2. In Europe and most of Asia, ISO 27001 is the default ask. Some regions accept either.

When SOC 2 wins

SOC 2 is the right first choice when:

  • Your customer base is primarily U.S. enterprise B2B SaaS buyers. Their procurement teams are set up to read SOC 2 Type II reports. They know how to interpret them. Their vendor risk management platforms have SOC 2 fields by default.
  • You have a compressed runway. A SOC 2 Type I can be issued within 3–4 months of starting the program. A Type II follows after a 3-to-12-month observation window. First certification is faster than ISO 27001 in most cases.
  • Your operating model is cloud-native and tooling-heavy. SOC 2 evidence collection via platforms like Vanta, Drata, or Secureframe works well for cloud-native SaaS with standard stacks (see our article on when SOC 2 platforms hit their limits for the cases where this breaks down).
  • You want the flexibility to show customers a report without publishing a certificate. SOC 2 reports are shared under NDA, which some companies prefer over the public certificate model.

The SOC 2 audit firm relationship is also typically lighter-touch than ISO 27001’s certification body relationship — a year-to-year engagement versus a three-year structured cycle.

When ISO 27001 wins

ISO 27001 is the right first choice when:

  • Your customer base is heavily European or international. ISO 27001 is the default compliance request from European customers, and it is often accepted in lieu of regional frameworks (e.g., NIS2 expectations).
  • Your industry has multiple international compliance requirements. ISO 27001 provides a management-system foundation that ISO 27017 (cloud services), ISO 27018 (PII in public cloud), ISO 27701 (privacy management), and ISO 22301 (business continuity) extend. If you foresee needing several of these, start with the ISMS.
  • Your organization is large enough to benefit from a formalized management system. ISO 27001 requires defined roles, management review cycles, risk treatment processes, and internal audit programs. These add weight but also produce more organizational maturity than SOC 2 typically does.
  • You want a publicly verifiable certificate. Customers, prospects, and business partners can verify your certificate through the issuing body’s registry. This can be a sales asset, particularly in conservative or regulated industries.

The ISO 27001 first certification takes longer — typically 9 to 12 months — because the management system has to operate for a period before the Stage 2 audit. But the resulting certificate carries international recognition that SOC 2 reports do not.

When to do both

Both is the end state for many SaaS companies. The question becomes: in what order, and how much can you share between them?

Substantial overlap in controls. SOC 2 Trust Services Criteria and ISO 27001:2022 Annex A have significant overlap — access control, change management, incident response, vendor management, risk assessment, logging and monitoring all map between the two. Our cross-framework implementations typically capture 70–80% of controls in a shared evidence pipeline.

Different audit structures require different packaging. Even with shared controls, the audit artifacts differ. SOC 2 auditors want a System Description in AICPA format. ISO 27001 auditors want a Statement of Applicability mapped to Annex A. Both audits interview people and review evidence, but the framing of the evidence differs.

Economic logic of running both at once. The first framework is expensive because you’re building the evidence pipeline from scratch. The second framework is 30–40% cheaper if you piggyback on the first — but only if the first was designed for the multi-framework case. A Vanta-run SOC 2 is designed for SOC 2 only; adding ISO 27001 on top is roughly the same cost as a standalone ISO 27001. A consultant-led program that plans for both is meaningfully cheaper than two standalone programs.

The typical sequence we recommend:

  1. Year 1: complete SOC 2 Type II (if U.S.-heavy) or ISO 27001 (if Europe-heavy)
  2. Year 2: add the second framework, reusing shared controls
  3. Year 3 onward: maintain both with a unified evidence pipeline; scale customer trust by presenting both

This works. What doesn’t work is starting with SOC 2 in Vanta, then realizing six months later that you need ISO 27001 too, and having to rebuild the evidence model to accommodate a management-system framework the platform wasn’t designed for.

Decision framework

Five questions that usually land the answer:

1. Where do your customers live, and where will they live in 24 months? U.S.-heavy today and U.S.-heavy tomorrow → SOC 2 first. Europe-heavy today → ISO 27001 first. Mixed → usually SOC 2 first because SOC 2 can be completed faster.

2. What does your single largest customer (or prospect) specifically ask for? If they ask for SOC 2 Type II, the question is largely answered. Same if they ask for ISO 27001. Follow the revenue.

3. How compressed is your runway? Under 6 months to a specific customer’s requirement → SOC 2 Type I or Type II (depending on how much audit history they need), because it’s achievable. ISO 27001 is harder to complete in under 9 months without cutting corners.

4. Are you planning federal or DoD sales? If yes, neither of these is sufficient. You need FedRAMP (and possibly DoD IL authorization). SOC 2 and ISO 27001 are sometimes required additionally for commercial customers, but the federal path is its own track.

5. How complex is your organization? Simple (single entity, single jurisdiction, standard cloud stack, small team) → SOC 2 via a platform is fine. Complex (multi-entity, hybrid infrastructure, regulated industry, global operations) → consultant-led program, either framework, with a path toward adding the second.

The controls that show up in both

For teams running or planning both, here’s a non-exhaustive list of controls that appear substantively in both frameworks:

  • Access control and authentication (MFA, least privilege, access reviews)
  • Change management and configuration control
  • Incident response and breach notification
  • Vulnerability management and patching
  • Logging, monitoring, and audit trails
  • Encryption at rest and in transit
  • Vendor and supply-chain risk management
  • Human resources security (background checks, training, termination)
  • Physical and environmental security
  • Backup and disaster recovery
  • Business continuity planning

In each case the frameworks want evidence of the control. SOC 2 wants evidence that the control operated effectively during an observation window. ISO 27001 wants evidence that the control is part of a managed system that’s subject to risk-based review. Designed correctly, the underlying operational evidence satisfies both.

The controls that don’t overlap cleanly

Some areas need separate treatment:

  • Privacy and data protection: ISO 27001 can be extended via ISO 27701 (privacy management) for a dedicated privacy ISMS. SOC 2 has a Privacy criterion but it is narrower. Companies with real privacy obligations (GDPR, CCPA, HIPAA) often benefit from the extended ISO 27701.
  • Management system operations: ISO 27001 requires defined management review cycles, internal audit programs, and continual improvement processes. SOC 2 does not require these as an audit criterion; they can be ignored in a SOC 2-only program. When you add ISO 27001, these become new responsibilities.
  • Statement of Applicability: ISO 27001-specific artifact that explains which Annex A controls apply and how. SOC 2 has no equivalent.
  • Trust Services Criteria selection: SOC 2-specific decision — do you include Availability, Confidentiality, Processing Integrity, Privacy alongside Security, or just Security?

How we run cross-framework engagements

For teams pursuing both, we design the evidence pipeline once for the union of both frameworks. Controls that apply to both are captured by a single operation. Controls specific to one are captured by that framework’s operational pattern. The auditor for each framework sees the evidence formatted for their standard’s expectations.

The engagement structure is typically:

  • Discovery and scope (4 weeks) — map customer requirements to framework choice, scope both frameworks together
  • ISMS design and control mapping (6 weeks) — design the cross-framework control set, Annex A mapping for ISO, Trust Services scope for SOC 2
  • Implementation (12–20 weeks) — build the technical and policy infrastructure, evidence pipeline stands up, internal controls operate
  • Observation window (3–12 months) — SOC 2 Type II window, ISO 27001 operating period for Stage 2 readiness
  • Audits (4–8 weeks) — SOC 2 audit and ISO 27001 Stage 1 + Stage 2 audits, often sequenced to share personnel availability

Total elapsed time: 9–18 months for both first certifications, depending on observation window length and organizational complexity. The all-in cost is 30–40% less than two sequential standalone programs.

The mistake to avoid

The single most costly mistake in this space is designing a SOC 2 program in a platform, completing it, and then starting ISO 27001 as a separate effort. The SOC 2 evidence pipeline doesn’t translate to ISO 27001 cleanly. Retrofitting the ISMS afterward is expensive.

If you know both frameworks are in your future — and for most B2B SaaS companies scaling internationally, both are in the future — design for both from the beginning. Even if you complete SOC 2 first, the program structure should support ISO 27001 without rework.

When to engage

For teams approaching this decision for the first time, the highest-impact conversation is early — before you pick a framework, pick a platform, or commit to an audit firm. A 30-minute scoping conversation typically yields enough clarity to make the right first-framework call, and if you’re doing both, saves meaningful money down the line.

Our SOC 2 practice and ISO 27001 practice are designed for the cross-framework case. If you’ve already started one and are wondering how to bring in the other, we often pick up engagements at that mid-point.

Related reading: SOC 2 Type II evidence patterns · when SOC 2 platforms hit their limits

Related reading
SOC2 · 7 min read

SOC 2 Type II: evidence patterns that survive the observation window

SOC2 · 9 min read

Vanta, Drata, and the limits of software-only SOC 2: when to bring in an architect

Next step

Ready to talk?

Book a scoping conversation. Thirty minutes. Honest scoping of your current posture and target.

Book a scoping call →