ISO 27001 vs SOC 2: which one your customers actually ask for

Geographic recognition

ISO 27001 is internationally recognised. It is the default ask in European procurement and is broadly accepted in the UK, the Middle East, Asia, and Latin America. In the United States it is recognised, but US buyers will typically ask for SOC 2 first.

SOC 2 is dominant in the United States. American buyers, especially US-based SaaS buyers selling to other US SaaS, often treat SOC 2 as the baseline ask. European buyers will accept SOC 2 but will sometimes also ask for ISO 27001, particularly in regulated industries (banking, insurance, healthcare).

Certified vs attested: a structural difference

ISO 27001 is a certification. An accredited certification body issues a binary certificate: the organisation’s ISMS conforms to the standard, or it does not. The certificate is valid for three years. Buyers see a yes-or-no answer.

SOC 2 is an attestation by a CPA firm. The CPA firm issues a report describing the system and the controls, and concluding (or not) that the controls are suitably designed and operating effectively. The report is a document that buyers read; it is not a binary certificate. Two organisations can both have SOC 2 reports but with materially different control sets in scope.

Implication for the buyer: ISO 27001 is a fast filter ("are they certified?"). SOC 2 is a substantive read ("what does their report say?").

Type I vs Type II

Both ISO 27001 and SOC 2 have an equivalent of operating-effectiveness testing, but the structure differs.

ISO 27001 certification is binary; there is no Type I vs Type II distinction in the certificate itself. The auditor tests operating effectiveness as part of Stage 2 and the surveillance cycle.

SOC 2 distinguishes Type I (design at a point in time) from Type II (operating effectiveness over a period, typically six to twelve months). Most enterprise buyers require SOC 2 Type II.

Scope flexibility

ISO 27001 scope is defined by the organisation and confirmed by the certification body. The scope statement (services, sites, business units) is on the certificate. Scope can be narrow if justified.

SOC 2 scope is defined by the Trust Services Criteria selected. Security is mandatory; Availability, Confidentiality, Processing Integrity, and Privacy are optional. Most enterprise buyers expect at least Security and Availability.

Cost and timeline

For a typical European SME (50 to 200 employees), ISO 27001 first certification costs €15,000 to €30,000 in audit fees, with internal preparation costs of three to five times that. Timeline from first commit to certificate: six to twelve months.

SOC 2 Type II costs $20,000 to $50,000 in audit fees, with the period itself running six to twelve months. Internal preparation costs are similar in magnitude.

Annual ongoing costs are similar for both. ISO 27001 surveillance audits cost roughly half a Stage 2 each. SOC 2 Type II is an annual audit, so the recurring cost is the full Type II.

When you need both

If your customer base is split between US and Europe with serious enterprise deals on both sides, you will be asked for both. Common case: a European SaaS expanding into the US, or a US SaaS expanding into European regulated industries.

The good news: the underlying control set overlaps heavily. The 93 Annex A controls of ISO 27001:2022 cover most of what the SOC 2 Trust Services Criteria require. Running both is significantly less work than running each separately.

NIS 2 angle

For European entities in scope of NIS 2, ISO 27001 is the default fastest path to demonstrating alignment with the Article 21 cybersecurity risk management measures. Several national transpositions explicitly reference ISO 27001 (or sector-specific extensions like ISO 27017 for cloud, ISO 27018 for personal data in cloud, ISO 27701 for privacy) as acceptable evidence of conformance.

SOC 2 is not generally treated as evidence of NIS 2 conformance by European supervisory authorities, because it is a US attestation framework rather than a European standard.