Why this question matters more than the answer
Compliance certificates don't make you secure. They make it provable. The reason you pursue one is almost always commercial — an enterprise procurement team is blocking the contract, an investor wants it before close, a regulator now requires it, or your insurer demands it. Pick the framework whose certificate unblocks the most deals.
That sounds cynical. It isn't. Real security work — the work that keeps your customers' data intact — is the same regardless of which framework you map it to. The choice of certification is a routing decision: which gatekeepers does it satisfy?
SOC 2 in depth
SOC 2 reports are issued under AICPA SSAE 18 by a licensed CPA firm. They attest to how an organisation's controls satisfy one or more of five Trust Services Criteria:
- Security (CC series) — the only mandatory criterion. Everyone includes this.
- Availability — for SaaS with uptime SLAs.
- Confidentiality — for handlers of business-sensitive information.
- Processing Integrity — for financial-data processors, payroll, billing.
- Privacy — for handlers of personally identifiable information.
Most SaaS companies scope Security + Availability + Confidentiality and stop there.
Type 1 versus Type 2
Type 1 audits the design of controls on a single date — it confirms they exist and look reasonable. Type 2 audits the operation of controls over an observation window, usually 3 to 12 months. Enterprise procurement teams almost always want Type 2; Type 1 is a stepping stone.
If your controls have been operating reliably for 6+ months when you start the audit, skip Type 1 entirely and go straight to a 6-month observation Type 2. The audit fees are similar and you save 6 months of calendar time.
Realistic SOC 2 cost
For a 10–100 employee SaaS starting from scratch, first-year SOC 2 Type 2 total cost typically lands between USD 60,000 and 120,000:
- Audit fees: USD 25,000–50,000 (depends on firm size, scope, and your maturity).
- Compliance automation tooling (Vanta, Drata, Secureframe, Sprinto): USD 20,000–50,000 in year one.
- Readiness consulting / fractional security lead: USD 15,000–40,000 if you don't have an in-house security function.
Year-two cost typically drops to USD 30,000–60,000 as the programme stabilises.
ISO/IEC 27001:2022 in depth
ISO 27001 certifies an Information Security Management System (ISMS) — the management framework — and ISO 27002 supplies the catalogue of 93 controls (Annex A) that the ISMS implements. The 2022 revision restructured Annex A from 114 controls into 93 across four themes: Organisational (37), People (8), Physical (14), Technological (34).
Certification is issued by an accredited certification body (BSI, Bureau Veritas, DNV, TÜV, NQA, etc.) after a two-stage audit:
- Stage 1 — documentation review (the auditor reads your ISMS).
- Stage 2 — operational audit (the auditor watches your ISMS run).
The certificate is valid for three years with annual surveillance audits in between.
Timeline for first certification
Plan for 9–14 months from gap analysis to certificate for a first-time pursuit:
- Gap analysis: 4–6 weeks.
- ISMS build, control remediation, evidence collection: 4–8 months.
- Internal audit: 2–4 weeks.
- Management review: 2 weeks.
- Stage 1 + Stage 2 external audit: 6–10 weeks.
Faster is possible if you've already done SOC 2 — the control overlap is significant.
SMB1001 — the often-overlooked option
SMB1001 is a tiered information-security standard published by the SMB1001 Foundation and explicitly designed for small and medium businesses. The tiers — Bronze, Silver, Gold, Platinum, Diamond — let an organisation demonstrate proportional assurance without committing to the full ISO 27001 burden.
- Bronze: ~25 foundational controls. 4 weeks to achieve. Suitable for sub-20-person businesses.
- Silver: ~50 controls including basic risk management and incident response. 6–8 weeks.
- Gold: ~75 controls. Approaches ISO 27001 Annex A coverage at a reduced depth. 3–4 months.
- Platinum / Diamond: effectively ISO 27001-grade with sector-specific additions.
SMB1001 is increasingly accepted by Australian and Asia-Pacific procurement teams and is gaining traction in the UK SME sector. It is a credible step between "nothing" and "full ISO 27001" — and a useful Year 1 target if your buyers are mostly mid-market rather than Fortune 500.
Control overlap: build once, certify many
The same control implementations satisfy multiple frameworks. A non-exhaustive overlap map:
| Control area | SOC 2 | ISO 27001 | NIS2 | DORA |
|---|---|---|---|---|
| Access control / least privilege | CC6.1–6.3 | A.5.15, A.8.3 | Art. 21 | Art. 9 |
| Change management | CC8.1 | A.8.32 | Art. 21 | Art. 8 |
| Vendor / third-party risk | CC9.2 | A.5.19–A.5.22 | Art. 21(2)(d) | Art. 28–30 |
| Incident response | CC7.3–7.5 | A.5.24–A.5.27 | Art. 23 | Art. 19 |
| Logging & monitoring | CC7.1–7.2 | A.8.15–A.8.17 | Art. 21 | Art. 10 |
| Business continuity | A1.1–A1.3 | A.5.29–A.5.30 | Art. 21(2)(c) | Art. 11 |
The implication: a unified programme is cheaper than serial certification. Don't run SOC 2 in 2026, ISO 27001 in 2027, and NIS2 readiness in 2028. Scope them together.
EU regulations: legal obligations, not certifications
GDPR, NIS2, and DORA are different from SOC 2 / ISO 27001. They are binding law, not voluntary frameworks — there is no certificate, and non-compliance carries fines up to 4% of global turnover (GDPR) or 2% (NIS2). They overlap heavily with ISO 27001 but introduce specific reporting obligations:
- GDPR Art. 33: 72-hour breach notification to supervisory authority.
- NIS2 Art. 23: 24-hour early warning, 72-hour notification, one-month final report.
- DORA Art. 19: major ICT-related incident classification and reporting for financial entities.
If your business is in scope of any of these, the incident-response playbooks must be sequenced against the strictest clock. NIS2's 24-hour early warning is the tightest — your IR plan needs to support it before an incident, not during.
A decision tree
Asked simply: where are your buyers?
- US-heavy SaaS, enterprise pipeline → SOC 2 Type 2.
- EU/UK/APAC pipeline, public-sector or large enterprises → ISO 27001:2022.
- EU-facing, processing personal data → GDPR programme is non-negotiable; ISO 27001 makes the rest easier.
- EU essential or important entity (energy, healthcare, transport, digital infrastructure, public administration, etc.) → NIS2 compliance by national transposition deadline; ISO 27001 satisfies most of it.
- EU financial entity or critical ICT third-party provider → DORA compliance mandatory since January 2025.
- SMB with mid-market customers, not yet ready for ISO 27001 → SMB1001 Silver as a Year 1 target.
What auditors actually look for
Three things, in order:
- Evidence that controls operate, not just that they exist. A policy that says "we review access quarterly" is worth nothing without four signed off, dated reviews in the audit period.
- Consistency between policy, practice, and configuration. If the policy says MFA is mandatory but the auditor finds five users without it, the finding is severe — not for the missing MFA, but for the policy-practice gap.
- A risk register that has been updated since you wrote it. Auditors are very good at spotting risk registers that were authored once and never revisited.
The best preparation isn't more documentation. It's operating for six months exactly as your policies describe, with evidence that demonstrates it.