It usually starts with an email. A customer's procurement team wants proof you take security seriously, and somewhere in the attachment is a question about ISO 27001 or SOC 2.
If you are reading this with that email open in another tab, take a breath. Thousands of small businesses land in this exact spot every year, most of them with one person handling risk alongside a full-time job, and the decision is more straightforward than the acronyms suggest.
For most SMEs, the sensible move is to go with the framework your customers are asking for. North American buyers usually want SOC 2. Buyers in Australia, the UK, and Europe usually want ISO 27001. And because the two overlap heavily, your first framework does most of the work for your second, so it is genuinely hard to pick badly.
Guardzy maps your controls once and applies them across ISO 27001, SOC 2, NIST, and GDPR, so you can start either framework this week without a consultant. Start free with Guardzy.
What is ISO 27001?
ISO/IEC 27001 is the international standard for information security management. In practice, it means building a documented, repeatable system for managing security risk, then having an accredited certification body audit that system.
Pass, and you receive a certificate valid for three years, with lighter surveillance audits in the years between. The certificate is a big part of the appeal. You can put it on your website, attach it to tenders, and show it to anyone who asks, no NDA required.
What is SOC 2?
SOC 2 comes from the American Institute of CPAs, and it works a little differently. A licensed CPA firm examines how your security controls perform against the Trust Services Criteria, then writes a detailed report on what they found.
There are two flavours: a Type I report covers a single point in time, while a Type II report follows your controls over three to twelve months to check they hold up in daily use. The Type II report is the one your customers almost certainly want.
The report stays private, read by customers under NDA. That detail suits the lengthy security questionnaires US enterprise buyers love to send, which is part of why SOC 2 became the North American default.
ISO 27001 vs SOC 2 at a glance
| Question | ISO 27001 | SOC 2 |
|---|---|---|
| What you receive | Certificate, valid for three years | CPA report, usually renewed yearly |
| Where it is recognised | Australia, the UK, Europe, and worldwide | Mostly North America |
| Audit rhythm | Full certification cycle every three years, with annual check-ins | Fresh observation period for each new report |
| Documentation style | Formal and structured up front | Flexible, but evidence-heavy |
The difference in paperwork
One row from that table deserves a closer look, because it typically shapes your day-to-day experience more than any other.
ISO 27001 asks for more documentation before your audit, including a risk register covering your assets and threats, a statement of applicability explaining which controls you use and why, and a named owner for every control.
SOC 2 seems more relaxed about documentation, and it is, right up until an auditor asks you to produce nine months of evidence on demand. Neither path lets you wing it.
How much do ISO 27001 and SOC 2 cost?
Cost is usually the question people are too polite to lead with, so let us put numbers on it.
For an SME, the audit itself typically runs somewhere between US$10,000 and US$30,000 for either framework, depending on your size and scope.
Preparation is where budgets go sideways. Bring in consultants to build your risk register, gather your evidence, and write your documentation, and the preparation bill can climb past the audit itself. Do that work in-house with a sensible structure, and it costs your team's time instead.
Most small teams need three to six months from a standing start to audit-ready. The biggest variable is how scattered your evidence is when you begin.
Which one should you do first?
You can settle this in an afternoon with three checks.
Check your pipeline
Write down your top ten current and prospective customers and note which framework each would expect. The majority wins, and this one check decides it for most businesses.
Check your contracts
If an existing customer agreement names a specific framework or a deadline, that trumps everything else, so search your contracts before you commit either way.
Check where your market is heading
Selling into Australian financial services or government? ISO 27001 lines up with what buyers tend to recognise. Chasing US enterprise deals? Those security questionnaires were written with SOC 2 in mind.
Getting the groundwork right
Both frameworks are built on the same four foundations: a live asset register, risks linked to the controls treating them, evidence collected as the work happens, and a named owner for everything.
Get that groundwork in place, and the framework on top becomes far less frightening.
That groundwork is exactly what Guardzy handles. Map your controls once and apply them across ISO 27001, SOC 2, NIST, and GDPR in one view, with your evidence linked and audit-ready all year round. The free plan takes an afternoon to set up, which is conveniently the same afternoon you just spent making this decision.
Start with the framework your buyers already want
Guardzy gives SMEs one connected place for risks, controls, evidence, owners, and audit-ready exports.
- Map controls once across ISO 27001, SOC 2, NIST, and GDPR.
- Keep assets, risks, controls, evidence, and owners connected from day one.
- Build the structure for your first framework without rebuilding it for the second.
About the author
Shen Perera is the Founder of Guardzy and writes practical risk, security, and compliance guides for SMEs that need audit-ready structure without an enterprise GRC rollout.
Frequently asked questions
Can you do ISO 27001 and SOC 2 at the same time?
You can, and plenty of SMEs do exactly that when customers on both sides of the Atlantic are asking. The two frameworks share many control themes, so running one combined project with a single control set saves a great deal of money and effort compared with two separate efforts.
Is ISO 27001 or SOC 2 cheaper?
There is not much between them on the audit itself, with both typically costing an SME somewhere between US$10,000 and US$30,000. Over a few years, ISO 27001 often works out gentler on the budget, since its full certification cycle runs for three years while SOC 2 generally needs a fresh observation period for every annual report.
Do Australian companies need SOC 2?
Australian companies only need SOC 2 if their customers ask for it, which usually means selling into North America. If your buyers are in Australia or the UK, ISO 27001 is the framework they will recognise, and it is the more natural starting point for most Australian SMEs.
Is ISO 27001 mandatory?
No law requires ISO 27001, so there is no penalty for going without it. In practice, though, procurement teams and tenders increasingly treat it as the price of entry, so for many SMEs it ends up feeling mandatory even though it is voluntary.