SOC 2 or ISO 27001 or Both?

Short answer

• If most of your customers are US-based SaaS buyers who ask for detailed assurance under NDA: choose SOC 2 (ideally Type II). SOC 2 is an attestation report issued by the auditor, based on the AICPA Trust Services Criteria. Type II includes operating-effectiveness testing over a period; Type I is design-only at a point in time.
• If you sell globally, face enterprise procurement/RFPs, or want a public, internationally recognized certificate: choose ISO/IEC 27001. It's a formal certification of your ISMS by an accredited certification body and is widely accepted across regions and industries.
• Want both? Build an ISO 27001 ISMS first (governance, risk, scope), map your controls to SOC 2 Trust Services Criteria, do SOC 2 Type I quickly, then a Type II once controls have run for a period.
• In Australia, if you're heading toward Australian Government workloads, plan to step into IRAP assessments later by aligning with the ASD ISM and Essential Eight early. IRAP is not a certification; it's an independent assessment against the ISM used to inform an agency's risk-based authority-to-operate decision.

How buyers actually use each framework

Buyer situation	What they ask for	What you give them	Who performs it	Can you share it publicly?
US SaaS mid-market and enterprise customers	Detailed controls and test results, usually under NDA	SOC 2 report (Type I or Type II)	Independent CPA firm accredited by the AICPA	No. SOC 2 is a restricted-use report. Public option is SOC 3.
Global RFPs, regulated industries, partners outside the US	Proof you run an information security management system	ISO/IEC 27001 certificate and Statement of Applicability	Accredited certification body	Yes. Certificates are public, often listed by the CB/AB.
Australian Government or Gov-adjacent workloads	Independent assessment against the ASD ISM; evidence for security authorisation	IRAP assessment report and control matrix	ASD-endorsed IRAP Assessor	No "IRAP certified." IRAP is not certification; avoid that wording.

What each deliverable actually is

• SOC 2: An attestation engagement in which an auditor examines your description of the system and controls against the Trust Services Criteria (Security is always in scope; Availability, Confidentiality, Processing Integrity, and Privacy are optional).
• Type I: Controls suitably designed at a point in time.
• Type II: Controls suitably designed and operating effectively over a defined period; includes tests performed and results.
• SOC 3: A general-use summary report that can be publicly shared, based on SOC 2, but without detailed descriptions or test results.
• ISO/IEC 27001: A certification of your ISMS. Certification bodies accredited by IAF member accreditation bodies (e.g., JAS-ANZ, ANAB) perform the audit and issue a certificate. Most accredited programs run a 3-year certification cycle with annual surveillance audits. The 2013 to 2022 transition window closes in October 2025.
• IRAP: An independent ISM-based assessment; output is an assessment report, not a certificate. Marketing claims like "IRAP certified/accredited" are explicitly prohibited by ASD policy.

Decision rules: pick one, or plan for both

Choose SOC 2 first when

• 70%+ of pipeline is US SaaS buyers who request SOC 2.
• Your control environment is reasonably mature but you need evidence of operation for customers.
• You're comfortable running internal evidence collection for at least 3-6 months before a Type II period end.

Choose ISO 27001 first when

• You sell globally and hit RFPs that score on international certifications.
• You want a publicly attested badge that procurement can verify.
• You need an ISMS discipline (risk management, scope, governance) to scale.

Want both? Do this, in order

• Build the ISO 27001 ISMS: define scope, context, risk methodology, SoA, management review cadence.
• Control crosswalk: map your ISO policies and controls to the SOC 2 Trust Services Criteria (Security common criteria CC1-CC5, plus supplemental criteria such as logical/physical access CC6, system operations CC7, change management CC8, risk mitigation CC9; add Availability/Confidentiality/PI/Privacy if your customers need them).
• SOC 2 Type I: once the system description and control design are stable.
• SOC 2 Type II: after a defined operating period with evidence.
• Keep the future in mind: if Government workloads are in view, align with ISM and Essential Eight while you build; it reduces later rework on IRAP.

Evidence and control alignment: examples that reuse well

Theme	ISO 27001 (examples)	SOC 2 TSC alignment
Identity and access management	Annex A access control (e.g., A.5.15) and joiner-mover-leaver procedures	CC6 series: logical/physical access (provisioning, review, removal; boundary protections; DLP; malware)
Change management	Change approvals, segregation, deployment pipelines, configuration baselines	CC8 series: change management
Logging, monitoring, incident response	Monitoring, alerting, incident runbooks, post-incident review, metrics to management	CC7 system operations and CC4 monitoring of controls
Risk and vendor management	Context, risk assessment, treatment, SoA; supplier due-diligence and contracts	CC3 risk assessment and CC9 risk mitigation
Availability and continuity	BCP/DR plans, tests, RTO/RPO, capacity planning	A1 Availability criteria (if included)

The CC6-CC9 criteria and their points of focus are documented in the AICPA Trust Services Criteria. For example, CC6.1-CC6.8 cover logical/physical access, credentialing, boundary protection, DLP and anti-malware.

If you operate primarily in cloud, consider using an intermediate controls catalog with published mappings, such as the CSA Cloud Controls Matrix (CCM) or OpenCRE, to accelerate crosswalks and reduce duplicate evidence.

Timelines and effort (typical)

These are ballpark only; scope, complexity and evidence quality drive the real answer.

• ISO 27001 initial certification: establish ISMS, implement priority controls, run internal audit and management review, then Stage 1/Stage 2 external audits. Many SMB-to-mid SaaS teams plan 3-6 months to be audit-ready, then certification and annual surveillance for a 3-year cycle.


• SOC 2 Type I: often 6-10 weeks from description drafting to report, assuming controls are in place.


• SOC 2 Type II: add your chosen observation period (commonly 3-12 months) before the auditor tests operating effectiveness and issues the report.

Australia-specific: planning for IRAP and ISM

• What IRAP is: an ASD-run program that gives you access to ASD-endorsed assessors who perform independent security assessments against the ASD Information Security Manual (ISM) and provide a report your government customer can use in its risk decision. It is not a certificate and you must avoid "IRAP certified/accredited" claims.


• Using ISO/SOC evidence for IRAP: ACSC permits assessors to consider evidence from existing certifications and assessments where applicable and valid, but nothing substitutes for ISM-based assessment by an IRAP Assessor.


• Practical prep: Align your baseline with the Essential Eight maturity model early (application control, patching, MFA, backups, etc.). Maintain a solid System Security Plan, risk register, IR procedures and BCP/DR test evidence so an IRAP Assessor can evaluate against ISM controls efficiently.

Common pitfalls and how to avoid them

• Treating SOC 2 as a "certification." It isn't. It's a CPA attestation report and typically restricted-use. Publish a SOC 3 if you need a public artifact.


• Buying tools before defining scope and risk. ISO 27001 expects a risk-based ISMS. Define scope and risk treatment first; choose tooling second.


• Skipping management review and internal audit. ISO certification requires both; they're not optional ceremonies.


• Marketing "IRAP certified." Don't. ASD will ask you to remove that language. Use "IRAP assessed to the ISM [scope, date]" instead.


• Forgetting the ISO 27001:2022 transition deadline. Organisations certified to 2013 must transition by October 2025. Plan it into your surveillance/recert cycle.

A sensible combined roadmap (typical 6-12 months)

• Month 0-1: Define ISO scope and context, risk method, asset inventory, SoA; identify control owners.


• Month 1-3: Implement priority controls; establish metrics; run awareness training; operationalize ticketing for access reviews, changes and incidents.


• Month 3: Internal audit and management review; close findings.


• Month 3-4: ISO Stage 1 then Stage 2 audits.


• Month 4-5: Draft SOC 2 system description; align evidence to CC1-CC9 and any extra categories.


• Month 5-8+: Run SOC 2 Type II observation period; keep evidence flowing.


• Month 8-10: CPA testing and SOC 2 Type II report issuance; optionally prepare a SOC 3 for public use.