The short answer
If your customers are American, get SOC 2 first. If they are European, get ISO 27001 first. If they are both, plan to get both — the overlap is large enough that the second one is much cheaper than the first.
Certification vs attestation — they are not the same thing
The single most important distinction: ISO 27001 is a certification; SOC 2 is an attestation. It changes who signs, what you get and how you share it.
- ISO 27001 is an international standard. An accredited certification body audits your information security management system (ISMS) and, if you pass, issues a certificate valid for three years (with annual surveillance audits). The certificate is public and instantly recognisable worldwide.
- SOC 2 is not a standard you "pass". It is an engagement under the AICPA's attestation standards in which a licensed US CPA firm examines your controls against the Trust Services Criteria and issues a report with the auditor's opinion. There is no certificate; you share the report — usually under NDA — with customers and their auditors.
So an ISO 27001 logo on your trust page is legitimate; a "SOC 2 certified" badge is technically a misnomer. You are SOC 2 *attested*, evidenced by a report.
The Trust Services Criteria (and what's actually mandatory)
SOC 2 is built on five Trust Services Criteria (TSC). You do not have to cover all five:
| Criterion | Mandatory? | Covers |
|---|---|---|
| Security (Common Criteria) | Yes — always | Protection against unauthorised access, the baseline for every SOC 2 |
| Availability | Optional | Uptime, performance, disaster recovery |
| Processing Integrity | Optional | Processing is complete, valid, accurate, timely |
| Confidentiality | Optional | Protection of information designated confidential |
| Privacy | Optional | Collection, use, retention and disposal of personal data |
Most SaaS start with Security only (often plus Availability and Confidentiality). The Security criterion is the "Common Criteria" (CC-series) and is non-negotiable; the other four are scoped in only if they matter to your customers.
Type I vs Type II
- Type I assesses whether your controls are suitably designed at a single point in time. It is faster and cheaper, and useful as a stepping stone — but enterprise buyers rarely accept it on its own.
- Type II assesses whether those controls operated effectively over a period, typically 3 to 12 months. This is the report customers actually want, because it proves the controls work in practice, not just on paper.
Plan for Type I only as a bridge; budget for Type II as the real deliverable.
What overlaps with ISO 27001
The good news for anyone facing both: a single, well-written set of policies satisfies large parts of each framework. Note that ISO 27001:2022 renumbered Annex A (now 93 controls in four themes), so the mapping below uses the current control references:
| Domain | SOC 2 (TSC) | ISO 27001:2022 |
|---|---|---|
| Access control | CC6.1–CC6.3 | A.5.15, A.5.16, A.5.18 |
| Change management | CC8.1 | A.8.32 |
| Incident response | CC7.3–CC7.4 | A.5.24, A.5.26 |
| Risk assessment | CC3.1–CC3.4 | 6.1.2 |
| Vendor management | CC9.2 | A.5.19, A.5.20 |
| Logging & monitoring | CC7.1–CC7.2 | A.8.15, A.8.16 |
PolicyForge tags every template with both control families, so you maintain one set of policies, not two.
A worked example of reuse
Say your first target is SOC 2 Type II (Security + Availability) because your biggest prospects are US enterprises. You write an access control policy, an incident response policy and a change management policy, and your auditor maps them to CC6, CC7 and CC8. Eighteen months later a European deal requires ISO 27001. Those same three policies already satisfy A.5.15/5.16, A.5.24/5.26 and A.8.32 — you adjust the framing to the ISMS clause language, add the mandatory ISO documents (scope, risk treatment, Statement of Applicability) and run the certification audit. The policy-writing work — usually the slowest part — is done once.
Cost and timeline (realistic 2026 numbers)
| Item | SOC 2 Type II | ISO 27001 |
|---|---|---|
| Auditor fees | €15k–€35k | €8k–€25k |
| Tooling (Drata, Vanta, etc.) | €10k–€25k/yr | €10k–€25k/yr |
| Internal time | 200–400 h | 150–350 h |
| Time to first report/cert | 9–12 months | 6–9 months |
These are directional ranges for a 5-to-20-person SaaS — your figures vary with scope, the number of TSC, and how much is already automated. Either way, plan a full quarter of focused work.
Our recommendation
- Write your policies first (the 14 baseline ones). This is the rate-limiting step for both frameworks.
- Implement the controls — get MFA everywhere, centralise logs, enforce code review.
- Pick your first framework based on your top 5 prospects (US → SOC 2, EU → ISO 27001).
- Reuse 80% of the work for the second one when revenue justifies it.
Primary sources worth reading
- AICPA Trust Services Criteria — the authoritative SOC 2 source (aicpa-cima.com).
- ISO/IEC 27001:2022 — the standard itself (iso.org/standard/27001).