You have SOC 2. Your U.S. pipeline is healthy. And then a European prospect sends you a vendor security questionnaire, and the first line says: "Please provide your ISO 27001 certificate." Not your SOC 2 report. Not your security whitepaper. Your ISO 27001 certificate.
You don't have one. And you're about to discover that the compliance framework that opens every door in the U.S. opens almost none in Europe.
We work with SaaS companies making this exact transition. Here's everything you need to know about ISO 27001, what it actually takes to get certified, what it costs, and how to do it efficiently if you're coming from a SOC 2 baseline.
Why European buyers care about ISO 27001 (and don't care about SOC 2)
SOC 2 is an American standard created by the AICPA. Outside of the U.S. and Canada, it has near-zero recognition in enterprise procurement. European IT and security teams don't know what SOC 2 is, don't trust it, and in many cases have never heard of it. When a German, French, or Dutch enterprise evaluates a SaaS vendor, they're looking for ISO 27001 certification. Full stop.
This isn't arbitrary. ISO 27001 is an international standard published by the International Organization for Standardization and the International Electrotechnical Commission. It's recognized in over 160 countries. European procurement frameworks, industry regulations, and government contracts reference it directly. Many EU companies are required by their own compliance programs to only work with ISO 27001-certified vendors.
The practical impact: if you're a SaaS company expanding into Europe and you only have SOC 2, you will hit a wall. Not a soft preference wall. A hard "your application cannot proceed" wall. We've seen SaaS companies lose six-figure deals because they couldn't produce an ISO 27001 certificate, even though they had a perfectly clean SOC 2 Type II report sitting on the shelf.
This is the reality. If European expansion is in your roadmap, ISO 27001 isn't optional. It's infrastructure.
ISO 27001 in plain English
ISO 27001 requires you to build and operate an Information Security Management System (ISMS). That sounds like jargon, but it's straightforward: an ISMS is your documented, systematic approach to managing information security risks. It covers your people, processes, and technology.
The standard has two main parts. The first is the management system itself: how you identify risks, how you decide what to do about them, how you measure whether it's working, and how you improve over time. This is where most of the documentation effort lives.
The second part is Annex A, which is a catalog of 93 security controls organized into four themes. You don't have to implement all 93, but you do have to evaluate every single one and document why you're including or excluding it in your Statement of Applicability (SoA). The SoA is one of the most important documents in the entire certification process.
Here's how the 93 Annex A controls break down in the 2022 version:
| Control Theme | Number of Controls | What It Covers |
|---|---|---|
| Organizational | 37 controls | Policies, roles, asset management, access control, supplier relationships, incident management, business continuity, compliance |
| People | 8 controls | Screening, terms of employment, security awareness training, disciplinary process, responsibilities after termination |
| Physical | 14 controls | Physical security perimeters, entry controls, securing offices and facilities, equipment protection, clear desk/screen policies |
| Technological | 34 controls | Endpoint security, access rights, authentication, cryptography, vulnerability management, logging, network security, secure development |
The risk assessment methodology is the backbone of ISO 27001. Unlike SOC 2, where you define your own controls and an auditor evaluates them, ISO 27001 requires you to start with a formal risk assessment. You identify threats and vulnerabilities, assess the likelihood and impact, and then select controls from Annex A (or elsewhere) to treat those risks. Every control decision must be traceable back to a risk. This is the fundamental philosophical difference between the two frameworks, and it's where most of the incremental work lives if you're coming from SOC 2.
ISO 27001 and GDPR: related but different
If you're expanding into Europe, you're already thinking about GDPR. Here's the relationship between GDPR and ISO 27001: they're complementary, but ISO 27001 certification does not mean GDPR compliance, and GDPR compliance doesn't give you ISO 27001.
ISO 27001 covers information security management broadly. GDPR is specifically about the protection of personal data and the rights of data subjects. There is significant overlap: both require you to assess risks, implement appropriate security measures, manage incidents, and maintain documentation. ISO 27001's Annex A controls around access control, encryption, logging, and incident response directly support GDPR's "appropriate technical and organisational measures" requirement under Article 32.
However, GDPR has requirements that ISO 27001 doesn't address: lawful basis for processing, data subject rights (access, erasure, portability), Data Protection Impact Assessments (DPIAs), Data Protection Officer (DPO) requirements, and cross-border data transfer mechanisms. You can be ISO 27001 certified and still violate GDPR.
That said, having ISO 27001 certification significantly strengthens your GDPR posture. European Data Protection Authorities have referenced ISO 27001 as evidence of appropriate security measures. And from a practical standpoint, the documentation discipline that ISO 27001 requires makes GDPR compliance considerably easier.
NIS2 Directive: the next wave of demand. The EU's NIS2 Directive, which came into force in October 2024, significantly expands cybersecurity requirements across EU member states. It applies to a much broader set of organizations than its predecessor, including many SaaS providers that serve essential or important entities. NIS2 requires supply chain security measures, which means European companies subject to NIS2 are increasingly requiring their vendors - including SaaS providers - to demonstrate ISO 27001 certification. If you're selling into healthcare, energy, transport, finance, or digital infrastructure in Europe, expect ISO 27001 to shift from "nice to have" to "mandatory" in your vendor assessments.
The certification timeline from zero
ISO 27001 certification happens in two audit stages, and the entire process from a standing start typically takes 6 to 12 months depending on your current security maturity. Here's what the timeline looks like month by month:
| Month | Activity | Key Deliverables |
|---|---|---|
| 1-2 | Gap analysis and scoping | Define ISMS scope, identify gaps against Annex A, select certification body |
| 2-4 | Risk assessment and treatment | Risk assessment methodology, risk register, risk treatment plan |
| 3-5 | Policy and documentation | Information security policy, Statement of Applicability, procedures, supporting documentation |
| 4-6 | Control implementation | Implement missing controls, configure tooling, deploy technical measures |
| 5-7 | Training and awareness | Security awareness training for all staff, role-specific training for key personnel |
| 6-8 | Internal audit and management review | Internal audit report, management review minutes, corrective actions |
| 7-8 | Penetration testing | Third-party pentest report, vulnerability remediation |
| 8-9 | Stage 1 audit (documentation review) | Auditor reviews your ISMS documentation, identifies any major gaps before Stage 2 |
| 10-12 | Stage 2 audit (implementation audit) | Auditor verifies controls are implemented and operating effectively, interviews staff, reviews evidence |
Stage 1 is a documentation review. The auditor examines your ISMS documentation, your risk assessment, your Statement of Applicability, and your policies to confirm that your management system is designed correctly and ready for a full audit. This is usually a 1-2 day on-site or remote engagement. If there are significant gaps, you'll get a list of findings to address before Stage 2.
Stage 2 is the implementation audit. This is where the auditor verifies that your controls are actually working, not just documented. They'll interview your team, review evidence, test controls, and assess whether your ISMS is operating as designed. This is typically 3-5 days depending on your organization's size and scope.
After certification, you'll have annual surveillance audits (a subset of the full audit) and a full recertification audit every three years. The surveillance audits are smaller and less expensive, but they're not optional. Miss one and you lose your certification.
Cost breakdown for a SaaS company
Let's talk real numbers. The costs below are typical for a SaaS company with 20-100 employees pursuing ISO 27001 certification for the first time.
| Cost Category | Range | Notes |
|---|---|---|
| Certification body (audit fees) | $15,000 - $40,000 | Stage 1 + Stage 2 audit. Varies by scope, company size, and auditor. Accredited bodies charge more. |
| Consultancy / advisory | $10,000 - $30,000 | Gap analysis, documentation support, audit readiness. Optional but strongly recommended for first-timers. |
| Compliance platform | $10,000 - $25,000/yr | Vanta, Drata, Secureframe, or similar. Manages evidence collection, policy management, and continuous monitoring. |
| Penetration testing | $5,000 - $15,000 | Third-party pentest covering your application and infrastructure. Required for Annex A compliance. |
| Internal time | Significant | Expect 20-40% of one senior person's time for 6-9 months. Don't underestimate this. It's often the largest real cost. |
| Total first-year estimate | $40,000 - $110,000 | Excluding internal time opportunity cost. Ongoing annual costs: $20,000-$40,000 (surveillance audit + platform + pentest). |
These numbers are realistic, not aspirational. We see companies that try to do it for less by cutting corners on consultancy or choosing non-accredited certification bodies. That usually backfires: either the certification isn't recognized by the European customers you're trying to win, or the gaps in your documentation surface during the audit and cause delays that cost more than the consultancy would have.
The ROI calculation is straightforward. If your average European enterprise deal is $50,000+ ARR, a single deal pays for the entire certification. If you're consistently losing EU opportunities because you lack ISO 27001, the certification pays for itself before the audit is even complete.
If you already have SOC 2, here's what you already have
If you're coming from a SOC 2 Type II baseline, the good news is substantial: roughly 80% of the control work is already done. The security fundamentals that satisfy SOC 2 auditors are the same ones ISO 27001 auditors want to see.
What you already have that maps directly:
- Access control: MFA, RBAC, least privilege, access reviews - all directly applicable to Annex A technological and organizational controls
- Encryption: Data at rest and in transit - maps to Annex A cryptography controls
- Incident response: Your documented IR plan satisfies ISO 27001's incident management requirements
- Change management: Code review, CI/CD controls, deployment processes - maps to secure development controls
- Vendor management: Third-party risk assessments map to supplier relationship controls
- Monitoring and logging: Audit trails and alerting map to logging and monitoring controls
- Penetration testing: Your existing pentest reports satisfy vulnerability management requirements
What you're missing (the gap):
- Formal ISMS documentation: ISO 27001 requires a documented management system with a defined scope, information security policy, and objectives. SOC 2 doesn't require this structure.
- Risk assessment methodology: This is the biggest gap. ISO 27001 requires a formal, documented risk assessment with a defined methodology, risk register, and risk treatment plan. SOC 2's risk approach is less prescriptive.
- Statement of Applicability: You need to evaluate all 93 Annex A controls and document which ones apply to your scope and why. This document doesn't exist in the SOC 2 world.
- Internal audit: ISO 27001 requires an internal audit of the ISMS before the certification audit. SOC 2 doesn't have this requirement.
- Management review: Formal management review meetings with documented minutes, where leadership reviews the performance of the ISMS.
- Some physical security controls: If your SOC 2 scope was purely cloud-based, you may not have addressed physical security controls for offices. ISO 27001 requires you to at least evaluate them.
Incremental effort from SOC 2 to ISO 27001: 3-6 months. That's the realistic timeline when you already have a mature SOC 2 program. The work is primarily documentation and process, not building new technical controls. If you're considering dual certification, this is why it's very achievable once you have one framework in place.
Choosing a certification body
This decision matters more than most companies realize. Your ISO 27001 certificate is only as credible as the body that issues it. An ISO 27001 certificate from a non-accredited body is essentially worthless for enterprise procurement -European buyers will check accreditation.
Accreditation means the certification body has been independently verified by a national accreditation body. The major ones are:
- UKAS (United Kingdom Accreditation Service) -the gold standard in Europe, widely recognized globally
- ANAB (ANSI National Accreditation Board) -the U.S. equivalent, strong recognition in North America and increasingly in Europe
- JAS-ANZ (Joint Accreditation System of Australia and New Zealand) -recognized in APAC and globally
- DAkkS (Germany), COFRAC (France), ACCREDIA (Italy) -national bodies recognized under the European co-operation for Accreditation (EA) multilateral agreement
When evaluating certification bodies, consider:
- Accreditation status: Non-negotiable. Verify it directly with the accreditation body, not just the certification body's website.
- Industry experience: A certification body with SaaS and technology experience will understand your environment. An auditor who mostly does manufacturing will ask irrelevant questions and miss relevant ones.
- Auditor availability: Popular certification bodies book months out. Start the selection process early.
- Price: Get three quotes. Prices vary significantly. But the cheapest option is often cheapest because they cut corners on auditor quality or accreditation.
- Geographic coverage: If you have offices or data centers in multiple countries, ensure the certification body can audit across those jurisdictions.
Our advice: choose a UKAS or ANAB-accredited body. These are universally recognized. A UKAS-accredited certificate will never be questioned by any European buyer.
Do you actually need both SOC 2 and ISO 27001?
This is the strategic question. And the answer depends entirely on where your revenue comes from and where it's going.
Decision framework:
U.S.-only revenue: SOC 2 is sufficient. ISO 27001 adds credibility but rarely unblocks deals that SOC 2 doesn't.
EU-only revenue: ISO 27001 is sufficient. SOC 2 adds almost nothing in European markets.
Both markets (or planning to expand): You need both. Start with whichever your current pipeline demands most urgently, then add the second within 6-12 months. The incremental effort is manageable because 80% of the work overlaps.
Regulated industries anywhere: ISO 27001 is increasingly the baseline, even in the U.S. Healthcare, finance, and government contracts are moving toward ISO 27001 recognition. If your buyers are in regulated verticals, lean toward ISO 27001 or plan for both.
The mistake we see most often is SaaS companies waiting until they've already lost European deals before starting the ISO 27001 process. By the time you realize you need it, you're 6-12 months away from having it. The companies that get this right are the ones that start the certification process while their European pipeline is still building, so the certificate arrives right when the deals do.
If you already have SOC 2 and are evaluating ISO 27001, you're in a strong position. Most of the hard work is behind you. The remaining effort is documentation, process formalization, and a different audit cadence. It's not a second mountain to climb. It's the last mile of the same mountain.
Ready to Start Your ISO 27001 Journey?
We help SaaS companies prepare for ISO 27001 certification with pentesting and reports formatted for certification body auditors.
Book a Consultation Dual Certification Roadmap
