Security compliance is often presented as a bureaucratic burden. Our compliance consulting service helps organisations achieve ISO 27001, SOC 2, and GDPR compliance without the chaos. Security compliance is often presented as a bureaucratic burden — piles of documentation, auditor visits, and checkbox exercises that consume resources without improving security. Done well, it’s something different: a systematic framework for identifying, treating, and evidencing your security risks. Done badly, it creates exactly the compliance theatre that critics rightly mock.
This guide cuts through the complexity of the three frameworks most commonly requested by enterprise customers: ISO 27001, SOC 2, and GDPR. You’ll understand what each actually requires, how they overlap, and how to build a compliant programme that also genuinely improves your security posture.
ISO 27001
What It Is
ISO 27001 is an international standard for Information Security Management Systems (ISMS). Published by ISO (International Organization for Standardization), it provides a systematic approach to managing sensitive information security risks.
ISO 27001 certification is awarded by accredited certification bodies after a formal audit. It’s globally recognised and is increasingly required for enterprise sales in financial services, government, healthcare, and any regulated industry.
What It Actually Requires
ISO 27001:2022 has two core components:
1. The ISMS clauses (Clauses 4–10)
These define the management system structure — how you govern information security:
- Clause 4: Understanding the organisation — internal and external context, stakeholders
- Clause 5: Leadership — management commitment, information security policy, roles
- Clause 6: Planning — risk assessment and treatment, information security objectives
- Clause 7: Support — resources, competence, awareness, communication, documented information
- Clause 8: Operation — implementing controls, supplier management
- Clause 9: Performance evaluation — monitoring, measurement, internal audits, management reviews
- Clause 10: Improvement — nonconformities, corrective action, continual improvement
2. Annex A Controls
ISO 27001:2022 Annex A contains 93 controls across 4 themes:
| Theme | Number of Controls |
|---|---|
| Organisational controls | 37 |
| People controls | 8 |
| Physical controls | 14 |
| Technological controls | 34 |
You don’t have to implement all 93 controls. You must assess which controls are applicable to your organisation, and for those that aren’t, document your Statement of Applicability (SoA) justifying exclusion.
The Certification Process
- Gap assessment — where are you today vs. ISO 27001 requirements?
- ISMS design and implementation — policies, procedures, risk assessment, controls
- Internal audit — assess your own compliance
- Stage 1 audit — documentation review by certification body
- Stage 2 audit — evidence review and interviews to confirm implementation
- Certification — valid for 3 years with annual surveillance audits
Timeline: Typically 6–18 months from start to certification, depending on your current security maturity.
Cost drivers: Gap assessment, consulting support (if used), certification body fees ($8,000–$30,000+ depending on organisation size), staff time for implementation.
What Auditors Actually Look For
Common reasons organisations fail ISO 27001 audits:
- Policies without evidence — you have an Acceptable Use Policy but no evidence it was distributed and signed
- Risk register not maintained — risk assessment done once at the start, never updated
- No management review — required annually, with minutes and action items
- Supplier contracts without security clauses — Annex A A.5.19 requires security requirements in supplier agreements
- Training records absent — awareness training must be documented and tracked
- Internal audit not independent — auditors cannot audit their own area of responsibility
SOC 2
What It Is
SOC 2 is a US-based audit standard developed by the AICPA (American Institute of Certified Public Accountants). It evaluates service organisations against the Trust Services Criteria (TSC) — primarily used by SaaS companies to demonstrate security practices to enterprise customers.
Unlike ISO 27001, SOC 2 is not a prescriptive standard — it doesn’t tell you what controls to implement. It evaluates whether your chosen controls effectively address the trust service criteria.
Two report types:
- SOC 2 Type I: Point-in-time assessment — do the controls exist? (snapshot)
- SOC 2 Type II: Assessment over a period (typically 6–12 months) — are the controls operating effectively? (this is what enterprise customers want)
Trust Service Criteria
| Criteria | What It Covers | Status |
|---|---|---|
| Security (CC) | Protection against unauthorised access | Mandatory |
| Availability (A) | System availability meets commitments | Optional |
| Confidentiality (C) | Protection of confidential information | Optional |
| Processing Integrity (PI) | Complete, valid, accurate processing | Optional |
| Privacy (P) | Collection and handling of personal information | Optional |
Almost all SaaS companies include Security + Availability + Confidentiality at minimum. Privacy is relevant if you handle personal data and need GDPR alignment.
Common Control Areas
SOC 2 auditors evaluate controls across:
- CC1 — Control Environment: Board governance, values, integrity, competence
- CC2 — Communication: Internal and external communication of security responsibilities
- CC3 — Risk Assessment: Risk identification, analysis, response
- CC4 — Monitoring Activities: Assessment of internal control effectiveness
- CC5 — Control Activities: Policies, procedures, and controls (the main technical controls)
- CC6 — Logical and Physical Access: Authentication, access control, encryption
- CC7 — System Operations: Monitoring, incident management
- CC8 — Change Management: SDLC, change control
- CC9 — Risk Mitigation: Vendor management, business continuity
What Enterprise Customers Ask For
When prospects send security questionnaires, they want to see:
- SOC 2 Type II report (the full audit report, usually under NDA)
- “Bridge letter” if the report is older than 12 months (auditor letter confirming no material changes)
- Specific controls coverage for their vertical (financial: PCI; healthcare: HIPAA alignment; etc.)
Common SOC 2 Failures
- No evidence collection process — controls exist but can’t be evidenced
- Control gaps during audit period — a required control wasn’t operating for part of the period
- Vendor risk management missing — all key vendors (cloud providers, sub-processors) should be assessed
- Access reviews not performed — quarterly user access reviews are a core expectation
- Incident response not tested — tabletop exercise evidence expected
GDPR
What It Is
The General Data Protection Regulation is EU law governing how personal data is collected, processed, stored, and transferred. It applies to:
- Any organisation established in the EU/EEA
- Any organisation outside the EU that processes personal data of EU/EEA residents
This means if you have EU customers or users, GDPR applies to you regardless of where you’re incorporated.
Regulators: Data protection authorities (DPAs) in each EU member state. In Ireland: Data Protection Commission (DPC). In Germany: BfDI (federal) + state DPAs. Maximum fines: 4% of global annual turnover or €20 million, whichever is higher.
Core Principles (Article 5)
GDPR is principles-based. Six core principles govern all processing:
- Lawfulness, fairness, transparency — processing must have a legal basis; individuals must be informed
- Purpose limitation — data collected for a specific purpose cannot be repurposed
- Data minimisation — collect only what is necessary
- Accuracy — keep data accurate and up to date
- Storage limitation — don’t keep data longer than necessary
- Integrity and confidentiality — protect data from unauthorised access and accidental loss
Legal Bases for Processing (Article 6)
Every processing activity must have a legal basis:
| Basis | When It Applies |
|---|---|
| Consent | Individual has given clear, specific, informed, revocable consent |
| Contract | Processing necessary to perform a contract with the individual |
| Legal obligation | Processing required to comply with a legal requirement |
| Vital interests | Processing necessary to protect life |
| Public task | Processing for official authority functions |
| Legitimate interests | Balancing test — your interests vs. individual’s rights |
Most SaaS/B2B companies rely primarily on Contract and Legitimate Interests. Avoid relying on Consent where possible — it’s the most fragile basis (can be withdrawn at any time).
What You Need to Implement
Documentation:
- Record of Processing Activities (RoPA) — mandatory for organisations with 250+ employees, recommended for all
- Data Protection Impact Assessment (DPIA) — required for high-risk processing (biometrics, large-scale health data, systematic monitoring)
- Privacy Policy — must cover all Article 13/14 information
Technical controls:
- Encryption at rest and in transit
- Pseudonymisation where appropriate
- Access controls (need-to-know)
- Data retention enforcement
- Secure deletion procedures
Organisational controls:
- Data breach notification process (72-hour notification to DPA required)
- Data subject rights process (DSAR handling — respond within 1 month)
- Data Processing Agreements (DPAs) with all processors
- If processing at scale: Data Protection Officer (DPO) appointment
International transfers:
- Transfers of EU personal data outside the EEA require appropriate safeguards
- Standard Contractual Clauses (SCCs) — the most common mechanism for US and other transfers
- Adequacy decisions — UK, Switzerland, Japan, and others are considered adequate
Common GDPR Compliance Gaps
- No DPA with cloud providers — you must have a DPA with AWS/Azure/Google Cloud and any other processors
- No retention schedule — data kept indefinitely by default
- Consent not granular — one checkbox for all processing, not specific purposes
- DSAR process not defined — what happens when someone asks for their data?
- Breach notification not practised — do you know who to notify and when?
How the Three Frameworks Overlap
Good news: there is significant overlap. Controls that satisfy ISO 27001 often also satisfy SOC 2 and GDPR:
| Control Area | ISO 27001 | SOC 2 | GDPR |
|---|---|---|---|
| Access controls and MFA | A.8.2, A.8.5 | CC6.1-6.8 | Article 32 |
| Encryption | A.8.24 | CC6.7 | Article 32 |
| Incident response | A.5.26, A.5.27 | CC7.3-7.5 | Article 33-34 |
| Vulnerability management | A.8.8 | CC7.1 | Article 32 |
| Risk assessment | Clause 6 | CC3.1-3.4 | Article 35 (DPIA) |
| Supplier management | A.5.19-5.23 | CC9.2 | Article 28 |
| Security awareness | A.6.3 | CC1.4 | Article 39 |
| Audit logging | A.8.15 | CC7.2 | Article 5(1)(f) |
| Data retention | A.5.10, A.8.10 | C1.4 | Article 5(1)(e) |
If you implement ISO 27001 with GDPR-specific controls added, you’ll cover approximately 70–80% of SOC 2 requirements as well.
How to Sequence Compliance
Scenario A: SaaS Company, Primarily US Enterprise Customers
Sequence: SOC 2 Type I → SOC 2 Type II → ISO 27001 (if EU expansion)
Start with SOC 2 — it’s what US enterprise procurement teams ask for, and the time to first report is shorter than ISO 27001 certification. SOC 2 Type I in 3–4 months, Type II 6–12 months after that.
Scenario B: EU/Global Company, Regulated Industry
Sequence: ISO 27001 → SOC 2 (if US market) — GDPR throughout
ISO 27001 is the baseline for regulated industries globally. Start here. Once certified, the incremental effort for SOC 2 is manageable.
Scenario C: Both US and EU Customers, Processing Personal Data
Sequence: GDPR (immediate — legal requirement) → SOC 2 or ISO 27001 in parallel
GDPR is legal compliance, not a choice. Handle it first. Then build your formal security certification programme alongside.
Implementation Mistakes to Avoid
Buying Templates and Calling It Done
The biggest mistake: downloading ISO 27001 policy templates, slapping your logo on them, and calling it done. Auditors interview your staff and review evidence — they immediately identify policies that don’t match how you actually operate. Write policies that describe what you actually do.
Treating It as a Project, Not a Programme
Compliance is continuous. You achieve certification, then you maintain it with ongoing evidence collection, risk reviews, management reviews, and internal audits. Organisations that treat it as a one-time project fail their surveillance audits.
Starting With Controls Instead of Risk
ISO 27001 and GDPR both start with risk assessment. Don’t select controls first and write a risk register to justify them. Assess your risks genuinely — identify what matters to your business, what threats are realistic, and which controls address those risks. This produces a better security outcome and better withstands audit scrutiny.
Doing It Alone Without Domain Expertise
First-time implementations without experienced guidance typically take 2x longer and cost more to remediate than implementations with an experienced consultant or vCISO supporting the programme. The cost of external expertise is typically 20–30% of the total project cost but reduces implementation time by 40–50%.
Estimated Costs
| Framework | Small Org (< 50 people) | Mid (50–250) | Large (250+) |
|---|---|---|---|
| ISO 27001 certification | $20,000–$50,000 | $50,000–$100,000 | $100,000+ |
| SOC 2 Type II | $30,000–$60,000 | $60,000–$150,000 | $150,000+ |
| GDPR implementation | $15,000–$40,000 | $40,000–$100,000 | $100,000+ |
| Ongoing (annual maintenance) | 30–50% of initial cost | 20–40% | 15–30% |
Costs include external consulting, certification body/auditor fees, tooling (GRC platforms like Vanta, Drata, Sprinto reduce ongoing effort significantly), and internal staff time.
CyberneticsPlus supports organisations through ISO 27001 certification, SOC 2 Type I/II readiness, and GDPR compliance implementation. We’ve guided teams from initial gap assessment to audit-ready in time for enterprise deals. Contact us to start your compliance journey.