Skip to main content

ADR-002: SOC 2 Before ISO 27001

Status: Accepted Date: February 2026

Context

Enterprise clients require independent security verification. Two primary frameworks exist:

  • SOC 2: US-originated, widely recognized by North American enterprises, faster to obtain
  • ISO 27001: Internationally recognized, especially in Europe and Asia, more comprehensive but longer process

The Blueprint V1 suggested pursuing both in parallel. The Supplement corrected this to sequential: SOC 2 first.

Decision

Pursue SOC 2 certification first (Type I by Q3 2026, Type II by Q1 2027), then ISO 27001 (2027).

The sequence:

  1. SOC 2 Type I (Q3 2026): Proves controls are designed and in place at a point in time
  2. SOC 2 Type II (Q1 2027): Proves controls operated effectively over 6-12 months
  3. ISO 27001 (2027): Comprehensive ISMS certification for global market

Alternatives Considered

Alternative 1: ISO 27001 First

  • Pro: More comprehensive, globally recognized
  • Con: Takes 12-18 months, US enterprises primarily ask for SOC 2
  • Rejected because: McKinsey and US Fortune 500 will ask for SOC 2 first

Alternative 2: Both in Parallel

  • Pro: Fastest path to having both
  • Con: Resource-intensive, many overlapping controls to document twice, distracts engineering team
  • Rejected because: Startup can't sustain parallel audit processes; better to nail SOC 2 first

Alternative 3: No Formal Certification (Rely on Security Whitepaper)

  • Pro: Cheapest, fastest
  • Con: Most enterprise procurement teams require third-party verification; a self-assessment won't pass Fortune 500 reviews
  • Rejected because: Non-starter for enterprise sales

Consequences

Positive

  • Many SOC 2 controls overlap with ISO 27001 — doing SOC 2 first builds foundation
  • SOC 2 Type I is obtainable in 3-6 months (fast enough for pilot)
  • US enterprise buyers prioritize SOC 2; having it accelerates sales
  • Compliance automation tools (Vanta, Drata) support both frameworks

Negative

  • European clients who prefer ISO 27001 must wait until 2027
  • Some EU government contracts may require ISO 27001 as entry requirement
  • Two separate audit processes means two sets of fees

Cost Estimates

  • SOC 2 Type I audit: $20,000-$50,000
  • SOC 2 Type II audit: $30,000-$70,000
  • ISO 27001 certification: $30,000-$60,000
  • Compliance automation (Vanta/Drata): $10,000-$30,000/year

References