Contact us
XONO / Insights / Compliance

SOC 2 vs ISO 27001 vs SMB1001: which framework do you actually need?

Three names, three audit processes, three certificates — and one question every founder eventually faces: which one will move the deal we're stuck in? Here's a comparison that won't try to upsell you on anything.

Key takeaways

  • SOC 2 is an AICPA attestation report — favoured by US enterprise buyers. Two flavours: Type 1 (point-in-time, ~6–10 weeks) and Type 2 (operating period of 3–12 months, the one enterprises actually want).
  • ISO/IEC 27001:2022 is a certifiable management-system standard — favoured by EU, UK, APAC buyers and regulators. 9–14 months from gap analysis to certificate for a typical first-time pursuit.
  • SMB1001 is a scaled, tiered (Bronze → Diamond) standard for SMBs who can't justify full ISO 27001 yet. Bronze and Silver achievable in 4–8 weeks; legally credible interim assurance.
  • ~70% of underlying controls overlap. Build one programme, map evidence to multiple frameworks. Don't run parallel implementations.
  • EU regulatory layers (GDPR, NIS2, DORA) impose binding legal obligations that overlap heavily with ISO 27001 — sequence the certifications to satisfy them in parallel.

Why this question matters more than the answer

Compliance certificates don't make you secure. They make it provable. The reason you pursue one is almost always commercial — an enterprise procurement team is blocking the contract, an investor wants it before close, a regulator now requires it, or your insurer demands it. Pick the framework whose certificate unblocks the most deals.

That sounds cynical. It isn't. Real security work — the work that keeps your customers' data intact — is the same regardless of which framework you map it to. The choice of certification is a routing decision: which gatekeepers does it satisfy?

SOC 2 in depth

SOC 2 reports are issued under AICPA SSAE 18 by a licensed CPA firm. They attest to how an organisation's controls satisfy one or more of five Trust Services Criteria:

  • Security (CC series) — the only mandatory criterion. Everyone includes this.
  • Availability — for SaaS with uptime SLAs.
  • Confidentiality — for handlers of business-sensitive information.
  • Processing Integrity — for financial-data processors, payroll, billing.
  • Privacy — for handlers of personally identifiable information.

Most SaaS companies scope Security + Availability + Confidentiality and stop there.

Type 1 versus Type 2

Type 1 audits the design of controls on a single date — it confirms they exist and look reasonable. Type 2 audits the operation of controls over an observation window, usually 3 to 12 months. Enterprise procurement teams almost always want Type 2; Type 1 is a stepping stone.

If your controls have been operating reliably for 6+ months when you start the audit, skip Type 1 entirely and go straight to a 6-month observation Type 2. The audit fees are similar and you save 6 months of calendar time.

Realistic SOC 2 cost

For a 10–100 employee SaaS starting from scratch, first-year SOC 2 Type 2 total cost typically lands between USD 60,000 and 120,000:

  • Audit fees: USD 25,000–50,000 (depends on firm size, scope, and your maturity).
  • Compliance automation tooling (Vanta, Drata, Secureframe, Sprinto): USD 20,000–50,000 in year one.
  • Readiness consulting / fractional security lead: USD 15,000–40,000 if you don't have an in-house security function.

Year-two cost typically drops to USD 30,000–60,000 as the programme stabilises.

ISO/IEC 27001:2022 in depth

ISO 27001 certifies an Information Security Management System (ISMS) — the management framework — and ISO 27002 supplies the catalogue of 93 controls (Annex A) that the ISMS implements. The 2022 revision restructured Annex A from 114 controls into 93 across four themes: Organisational (37), People (8), Physical (14), Technological (34).

Certification is issued by an accredited certification body (BSI, Bureau Veritas, DNV, TÜV, NQA, etc.) after a two-stage audit:

  • Stage 1 — documentation review (the auditor reads your ISMS).
  • Stage 2 — operational audit (the auditor watches your ISMS run).

The certificate is valid for three years with annual surveillance audits in between.

Timeline for first certification

Plan for 9–14 months from gap analysis to certificate for a first-time pursuit:

  • Gap analysis: 4–6 weeks.
  • ISMS build, control remediation, evidence collection: 4–8 months.
  • Internal audit: 2–4 weeks.
  • Management review: 2 weeks.
  • Stage 1 + Stage 2 external audit: 6–10 weeks.

Faster is possible if you've already done SOC 2 — the control overlap is significant.

SMB1001 — the often-overlooked option

SMB1001 is a tiered information-security standard published by the SMB1001 Foundation and explicitly designed for small and medium businesses. The tiers — Bronze, Silver, Gold, Platinum, Diamond — let an organisation demonstrate proportional assurance without committing to the full ISO 27001 burden.

  • Bronze: ~25 foundational controls. 4 weeks to achieve. Suitable for sub-20-person businesses.
  • Silver: ~50 controls including basic risk management and incident response. 6–8 weeks.
  • Gold: ~75 controls. Approaches ISO 27001 Annex A coverage at a reduced depth. 3–4 months.
  • Platinum / Diamond: effectively ISO 27001-grade with sector-specific additions.

SMB1001 is increasingly accepted by Australian and Asia-Pacific procurement teams and is gaining traction in the UK SME sector. It is a credible step between "nothing" and "full ISO 27001" — and a useful Year 1 target if your buyers are mostly mid-market rather than Fortune 500.

Control overlap: build once, certify many

The same control implementations satisfy multiple frameworks. A non-exhaustive overlap map:

Control area SOC 2 ISO 27001 NIS2 DORA
Access control / least privilegeCC6.1–6.3A.5.15, A.8.3Art. 21Art. 9
Change managementCC8.1A.8.32Art. 21Art. 8
Vendor / third-party riskCC9.2A.5.19–A.5.22Art. 21(2)(d)Art. 28–30
Incident responseCC7.3–7.5A.5.24–A.5.27Art. 23Art. 19
Logging & monitoringCC7.1–7.2A.8.15–A.8.17Art. 21Art. 10
Business continuityA1.1–A1.3A.5.29–A.5.30Art. 21(2)(c)Art. 11

The implication: a unified programme is cheaper than serial certification. Don't run SOC 2 in 2026, ISO 27001 in 2027, and NIS2 readiness in 2028. Scope them together.

EU regulations: legal obligations, not certifications

GDPR, NIS2, and DORA are different from SOC 2 / ISO 27001. They are binding law, not voluntary frameworks — there is no certificate, and non-compliance carries fines up to 4% of global turnover (GDPR) or 2% (NIS2). They overlap heavily with ISO 27001 but introduce specific reporting obligations:

  • GDPR Art. 33: 72-hour breach notification to supervisory authority.
  • NIS2 Art. 23: 24-hour early warning, 72-hour notification, one-month final report.
  • DORA Art. 19: major ICT-related incident classification and reporting for financial entities.

If your business is in scope of any of these, the incident-response playbooks must be sequenced against the strictest clock. NIS2's 24-hour early warning is the tightest — your IR plan needs to support it before an incident, not during.

A decision tree

Asked simply: where are your buyers?

  • US-heavy SaaS, enterprise pipeline → SOC 2 Type 2.
  • EU/UK/APAC pipeline, public-sector or large enterprises → ISO 27001:2022.
  • EU-facing, processing personal data → GDPR programme is non-negotiable; ISO 27001 makes the rest easier.
  • EU essential or important entity (energy, healthcare, transport, digital infrastructure, public administration, etc.) → NIS2 compliance by national transposition deadline; ISO 27001 satisfies most of it.
  • EU financial entity or critical ICT third-party provider → DORA compliance mandatory since January 2025.
  • SMB with mid-market customers, not yet ready for ISO 27001 → SMB1001 Silver as a Year 1 target.

What auditors actually look for

Three things, in order:

  1. Evidence that controls operate, not just that they exist. A policy that says "we review access quarterly" is worth nothing without four signed off, dated reviews in the audit period.
  2. Consistency between policy, practice, and configuration. If the policy says MFA is mandatory but the auditor finds five users without it, the finding is severe — not for the missing MFA, but for the policy-practice gap.
  3. A risk register that has been updated since you wrote it. Auditors are very good at spotting risk registers that were authored once and never revisited.

The best preparation isn't more documentation. It's operating for six months exactly as your policies describe, with evidence that demonstrates it.

Frequently asked questions

What is the difference between SOC 2 and ISO 27001?

SOC 2 is an attestation report under AICPA SSAE 18 that demonstrates how an organisation's controls address the Trust Services Criteria. ISO/IEC 27001 is a certifiable management-system standard governing an Information Security Management System. SOC 2 is favoured by US buyers; ISO 27001 by EU, UK, and Asian buyers. Both audit operating controls; about 70% of the underlying controls overlap.

Should I pursue SOC 2 Type 1 or Type 2 first?

SOC 2 Type 1 audits a point in time. Type 2 audits an observation period (3–12 months). Enterprise buyers care about Type 2. If you have 6+ months of stable controls, skip Type 1 and go straight to Type 2.

What is SMB1001 and how does it relate to ISO 27001?

SMB1001 is a scaled, tiered (Bronze → Diamond) standard for SMBs. It covers a subset of ISO 27001 Annex A controls and is significantly faster and cheaper to achieve. Bronze and Silver tiers serve as credible interim assurance before pursuing ISO 27001.

How much does SOC 2 cost?

First-year SOC 2 Type 2 cost typically runs USD 60,000–120,000 for a 10–100 employee SaaS: USD 25,000–50,000 audit, USD 20,000–50,000 tooling, USD 15,000–40,000 readiness consulting. Year two drops to USD 30,000–60,000.

Can one programme cover SOC 2, ISO 27001, NIS2, GDPR, and DORA simultaneously?

Yes, and it's the right approach when more than one is in scope. The underlying controls overlap heavily — access management, change management, vendor risk, incident response — so build them once and map evidence to multiple frameworks. Plan for 20–30% extra effort versus a single framework, not 100% per additional standard.

Compliance is a routing decision — let's pick the right route

We run gap analyses across all five frameworks above in 4 weeks, with a unified remediation roadmap that minimises duplicate work. No two clients get the same plan.

Start a conversation

Read next