SOC 2, ISO 27001 & Compliance Frameworks
- Executive Summary
- Working Knowledge
- Technical Spec
Certification Strategy
SOC 2 and ISO 27001 are the two most commonly requested compliance certifications in enterprise software procurement. Without them, Fortune 500 security teams will not approve ReGenesis as a vendor. The certification roadmap is sequenced to support the sales cycle: SOC 2 Type I by Q3 2026 (before McKinsey pilot closes), SOC 2 Type II by Q1 2027 (before GA launch), and ISO 27001 by Q2 2027 (for global expansion).
ReGenesis handles sensitive coaching data -- personal reflections, emotional content, career goals, and AI-generated insights -- which elevates the compliance bar above typical SaaS. The platform is built to EU-grade privacy and security standards from day one, even though the initial launch is US-only. This avoids costly retrofits and positions ReGenesis for international expansion without re-architecture.
The compliance automation platform (Vanta, Drata, or Secureframe) will continuously monitor controls, collect evidence, and flag drift. This reduces audit preparation from months to weeks and maintains ongoing compliance rather than annual scrambles. Additional frameworks (HIPAA, NIST 800-53, FedRAMP, ISO 42001 for AI management, ISO 27701 for privacy) are mapped but deferred until market demand requires them.
What Are These Certifications?
SOC 2 (System and Organization Controls 2)
SOC 2 is the standard compliance certification for SaaS companies selling to US enterprises. It was created by the American Institute of CPAs (AICPA) and evaluates your controls across five "Trust Services Criteria":
| Criterion | What It Covers | ReGenesis Relevance |
|---|---|---|
| Security (required) | Protection against unauthorized access | Core platform security, authentication, authorization |
| Availability | System uptime and performance | SLA commitments, DR/BCP plans |
| Processing Integrity | Accurate and complete data processing | Sasha AI producing correct outputs, data pipeline integrity |
| Confidentiality | Protection of confidential information | Coaching data segregation, encryption, access controls |
| Privacy | Personal information handling | GDPR-aligned practices, consent management, data subject rights |
Type I vs. Type II:
- Type I = "Controls are designed correctly" (point-in-time snapshot). Faster to obtain -- typically 2-3 months of preparation.
- Type II = "Controls are designed correctly AND have been operating effectively over a period" (typically 6-12 months of observation). This is what enterprise buyers really want.
ISO 27001
ISO 27001 is the international standard for Information Security Management Systems (ISMS). While SOC 2 is US-centric, ISO 27001 is recognized globally and is often required by European and Asian enterprises.
Key differences from SOC 2:
- ISO 27001 requires a formal Information Security Management System (documented policies, risk assessments, management reviews)
- It uses Annex A controls (93 controls in the 2022 version) rather than Trust Services Criteria
- Certification is issued by an accredited certification body, not an audit firm
- It requires ongoing surveillance audits (annual) and recertification (every 3 years)
How They Map Together
Roughly 70-80% of SOC 2 controls overlap with ISO 27001. By building for SOC 2 first, ReGenesis creates the foundation for ISO 27001 with incremental effort.
Other Frameworks on the Horizon
| Framework | When Needed | Why |
|---|---|---|
| HIPAA | If health/wellness coaching features launch | Protected Health Information regulations |
| NIST 800-53 | If government clients emerge | Federal information security standards |
| FedRAMP | If federal government contracts | Cloud security for government use |
| ISO 42001 | GA or post-GA | AI management system (new standard, demonstrates responsible AI) |
| ISO 27701 | GA or post-GA | Privacy extension to ISO 27001, maps to GDPR |
Compliance Automation
Manual compliance is unsustainable at startup scale. ReGenesis uses a compliance automation platform to:
- Continuously monitor controls (is MFA enabled? Are logs being collected? Are dependencies patched?)
- Auto-collect evidence (screenshots, API pulls, configuration checks)
- Map controls across multiple frameworks (one control satisfies SOC 2 + ISO 27001 + HIPAA)
- Track readiness with dashboards showing percentage complete
- Manage auditor workflow (share evidence, respond to findings, track remediation)
Platform options: Vanta, Drata, or Secureframe. All three are viable; decision should factor in pricing, auditor partnerships, and framework coverage.