ISO 27001 vs SOC 2
Two overlapping but structurally different security frameworks — ISO 27001 is an international certification of your information-security management system; SOC 2 is a US-originated attestation report on how well your controls met the AICPA Trust Services Criteria over a defined period.
ISO/IEC 27001 and SOC 2 are the two dominant security frameworks in B2B procurement. They overlap by roughly 70% at the control level but are structurally different in geography, format, audit cycle, and what the buyer actually receives.
At a glance
| Dimension | ISO 27001 | SOC 2 |
|---|---|---|
| Origin | International standard (ISO + IEC) | US standard (AICPA) |
| Output | Certificate issued by an accredited body | Attestation report issued by a CPA firm |
| Subject | The ISMS (management system + Annex A controls) | The service organisation against the Trust Services Criteria |
| Scope choice | You define the ISMS scope | You choose which Trust Services Criteria apply (Security is mandatory) |
| Audit cadence | 3-year certification cycle + annual surveillance | Annual; Type I is a point in time, Type II covers a 3-12 month period |
| Distribution | Public certificate; you publish it | Report is confidential; you share under NDA |
| Latest revision | ISO/IEC 27001:2022 (Annex A reorganised into 93 controls in 4 themes) | SSAE 18 / 2017 TSC, updates ongoing |
| Typical buyer | EU-led procurement, large enterprises, regulated sectors | US-led procurement, mid-market SaaS, financial services |
| Cost | Comparable: ~€20-60k for the cert + audit + remediation on a typical mid-market scope; ~€100k+ for larger scopes | Comparable: ~$25-80k for Type II, plus remediation; auditor fees vary widely |
What each is, in one paragraph
ISO/IEC 27001 is an international standard (ISO/IEC 27001:2022) that defines the requirements for an Information Security Management System (ISMS) — a structured way to identify risks, define controls, and continuously improve. Clauses 4-10 cover the management system itself (context, leadership, planning, support, operation, evaluation, improvement). Annex A lists 93 controls organised into 4 themes (Organisational, People, Physical, Technological). Certification is issued by an accredited certification body after a Stage 1 (documentation) and Stage 2 (implementation) audit, then renewed every three years with annual surveillance audits.
SOC 2 is a US-originated audit framework defined by the AICPA. It is not a certification: a CPA firm issues an attestation report on whether your controls met the Trust Services Criteria (TSC). The TSC has five categories — Security (always required), Availability, Processing Integrity, Confidentiality, Privacy (chosen based on your service). A Type I report describes the design of controls at a point in time. A Type II report — which is what enterprise buyers actually want — describes the operating effectiveness of those controls over a 3 to 12 month observation window.
Where they overlap
At control level, the two frameworks share roughly 70% of substance. AICPA publishes an official mapping between Annex A and the TSC, and the common ground includes:
- Risk management and governance (ISO Clauses 4-6 ↔ SOC 2 CC3, CC4)
- Access control (Annex A 5.15-5.18 ↔ CC6.1-6.3)
- Cryptography (Annex A 8.24 ↔ CC6.7)
- Operations security and change management (Annex A 8.32 ↔ CC8.1)
- Supplier / third-party risk (Annex A 5.19-5.22 ↔ CC9.2)
- Incident management (Annex A 5.24-5.29 ↔ CC7.3-7.5)
- Awareness, training, and human resources security (Annex A 6.1-6.6 ↔ CC1.4, CC2.2)
- Logging, monitoring, and event management (Annex A 8.15-8.16 ↔ CC7.1-7.2)
Where they diverge: ISO 27001 puts more weight on the management system itself (PDCA, top-management commitment, the documented ISMS), SOC 2 on operating evidence over time (logs, samples, control walkthroughs). ISO requires a published Statement of Applicability; SOC 2 requires the auditor’s opinion in a long-form report.
Which one first?
The answer is almost always determined by who is buying:
- EU-headquartered SaaS, large-enterprise EU buyers, regulated sectors (NIS2, DORA scope): ISO 27001 first. It is the framework EU procurement teams ask for by name, it pairs naturally with GDPR Article 32, and it is recognised globally.
- US-headquartered SaaS, US enterprise buyers, fintech/healthtech: SOC 2 Type II first. It is the framework US procurement asks for; Type I is sometimes acceptable as a stopgap while Type II observation runs.
- Both buyer geographies: ISO 27001 first if you have a slight EU bias (the certificate is easier to publish), SOC 2 first if you have a US bias. Either way, the second is much cheaper because of the overlap — most teams get the second framework within 12-18 months of the first.
For an early-stage SaaS startup with no formal program yet, the realistic order is: HIPAA/PCI/HDS if your data category demands it, then SOC 2 Type II OR ISO 27001 based on customer geography, then add the other within a year.
Where Engarde fits
Both frameworks have grown teeth on the human-factor and awareness controls:
- ISO 27001:2022 added the Awareness, education and training control (Annex A 6.3) explicitly requiring evidence of appropriate awareness, education and training and regular updates, not just attendance lists.
- SOC 2 has long required CC1.4 (The entity demonstrates a commitment to attract, develop, and retain competent individuals) and CC2.2 (The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control) — both of which auditors increasingly read as “show us behavioral evidence”, not just policy documents.
Engarde produces that evidence layer continuously — behavior baselines, nudge-acceptance trends, phishing-simulation outcomes, PSSI alignment — in the formats both auditors recognise, distinct from other vendors sharing the Engarde name. Once the data exists for one framework, mapping it to the other is largely a labelling exercise.
Related terms
- ISO/IEC 27001International standard for an Information Security Management System (ISMS) — the closest thing to a global certification mark for security.
- SOC 2AICPA attestation framework based on five Trust Services Criteria — the de facto B2B SaaS sales gate for North American buyers.
- NIS2EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
- DORA (Digital Operational Resilience Act)EU Regulation 2022/2554 making digital operational resilience — including human-factor controls — directly binding on financial entities since 17 January 2025.
- GDPR Article 32The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.