Executive Summary
Compliance with security frameworks is no longer optional for organisations handling sensitive data or serving regulated industries. ISO 27001, SOC 2, and GDPR are the three most commonly required frameworks for technology companies — and the three most frequently misunderstood.
This guide demystifies each framework, explains where they overlap, and provides a practical implementation roadmap. The goal is not just to achieve certification on paper — it is to build a security programme that genuinely reduces risk and provides assurance to customers, partners, and regulators.
Chapter 1: Understanding the Frameworks
ISO 27001:2022
What it is: An international standard for Information Security Management Systems (ISMS). Published by ISO (International Organization for Standardization). Certification is granted by accredited certification bodies.
What it proves: Your organisation has implemented a systematic approach to managing information security risks, including documented policies, risk management, and 93 security controls across 4 themes.
Who requires it:
- Government and public sector contracts (UK, India, EU)
- Enterprise customer due diligence requirements
- Regulated industries (financial services, healthcare, defence supply chain)
Certification process:
- Gap assessment against ISO 27001 requirements
- ISMS implementation (policies, risk register, controls)
- Stage 1 audit: documentation review by certification body
- Stage 2 audit: on-site assessment of implementation
- Certificate issued (valid 3 years, with annual surveillance audits)
ISO 27001:2022 changes from 2013: The 2022 update reorganised Annex A from 114 controls across 14 domains to 93 controls across 4 themes:
- Theme A.5: Organisational controls (37 controls)
- Theme A.6: People controls (8 controls)
- Theme A.7: Physical controls (14 controls)
- Theme A.8: Technological controls (34 controls)
New controls in 2022: threat intelligence, cloud security, ICT readiness for business continuity, data masking, data leakage prevention, monitoring activities, web filtering, secure coding.
SOC 2
What it is: An auditing standard developed by the AICPA (American Institute of CPAs). Applicable to service organisations storing or processing customer data. Performed by licensed CPA firms.
What it proves: Your controls addressing the relevant Trust Services Criteria are designed (Type I) and operating effectively over a period (Type II, typically 6–12 months).
Type I vs Type II:
- SOC 2 Type I: Point-in-time assessment — controls are designed appropriately as of a specific date. Achievable in 3–6 months.
- SOC 2 Type II: Operating effectiveness over a period (minimum 6 months, typically 12). Required by most enterprise customers. Takes 9–18 months to achieve.
Trust Services Criteria:
| Criteria | Always Required | Optional |
|---|---|---|
| Security (CC) | ✅ | — |
| Availability (A) | — | ✅ |
| Processing Integrity (PI) | — | ✅ |
| Confidentiality (C) | — | ✅ |
| Privacy (P) | — | ✅ |
Most organisations start with Security + Confidentiality. SaaS companies in regulated industries typically add Availability.
Who requires it:
- US enterprise customers (standard procurement requirement)
- Organisations processing US customer data
- Cloud service providers
GDPR
What it is: The General Data Protection Regulation — EU law governing the collection, processing, storage, and transfer of personal data of EU residents. Applies regardless of where the processing organisation is based.
What it requires:
- Lawful basis for processing personal data
- Privacy notices and consent management
- Data subject rights (access, erasure, portability, correction)
- Data Protection Officer (DPO) for certain organisations
- Data Protection Impact Assessments (DPIA) for high-risk processing
- Data breach notification (72 hours to supervisory authority)
- Adequate safeguards for international data transfers
Enforcement:
- Maximum fine: €20 million or 4% of global annual turnover, whichever is higher
- Enforcement is active: Meta fined €1.2B (2023), Amazon €746M (2021), WhatsApp €225M (2021)
UK GDPR: Post-Brexit, the UK maintains substantially equivalent law (UK GDPR + Data Protection Act 2018). The ICO is the UK supervisory authority.
India DPDPA: The Digital Personal Data Protection Act 2023 is India’s equivalent data protection law, currently in implementation phase. Applies to digital personal data of Indian residents.
Chapter 2: Framework Comparison
Coverage Overlap
The three frameworks cover significant common ground:
| Control Area | ISO 27001 | SOC 2 | GDPR |
|---|---|---|---|
| Access control | A.8.2, A.8.3 | CC6 | Art. 32 |
| Encryption | A.8.24 | CC6.7 | Art. 32 |
| Incident response | A.5.26 | CC7 | Art. 33, 34 |
| Audit logging | A.8.15 | CC7.2 | Art. 32 |
| Vendor management | A.5.19-A.5.22 | CC9 | Art. 28 |
| Risk assessment | Clauses 6.1, 8.2 | CC3 | Art. 35 (DPIA) |
| Training and awareness | A.6.3 | CC1.4 | Art. 39 |
| Business continuity | A.5.29-A.5.30 | A1 | Art. 32 |
Practical implication: If you implement ISO 27001 properly, you have completed 60–70% of the work for SOC 2 Security criteria and 40–50% of GDPR technical requirements.
Key Differences
| Aspect | ISO 27001 | SOC 2 | GDPR |
|---|---|---|---|
| Type | Certification | Attestation report | Legal compliance obligation |
| Issued by | Certification body (accredited) | CPA firm | N/A (regulatory compliance) |
| Renewal | 3-year cycle, annual surveillance | Annual report period | Ongoing |
| Scope | Organisation’s entire ISMS | Service organisation’s controls | All personal data processing |
| Prescriptive? | What to achieve, not how | Criteria-based | Principles-based with specific obligations |
| Legal penalty | Lose certification | Lose customer contracts | Fines up to 4% global turnover |
Chapter 3: ISO 27001 Implementation
ISMS Scope Definition
The most important decision in ISO 27001 implementation is scope. Too broad creates an unmanageable programme; too narrow provides insufficient assurance and may not satisfy customer requirements.
Common scoping approaches:
- Full organisation: All departments, all systems, all locations
- Product/service scope: “The development, delivery, and support of [Product X] for [Customer segment]”
- Data scope: “Systems processing [Customer / Financial / Health] data”
Document the scope in the ISMS scope statement. The certification body will test that the scope matches what was described.
Mandatory ISO 27001 Requirements (Clauses 4–10)
These are non-negotiable — any nonconformity in these clauses fails certification:
| Clause | Requirement |
|---|---|
| 4 | Context: understand the organisation, stakeholders, and ISMS scope |
| 5 | Leadership: management commitment, ISMS policy, roles |
| 6 | Planning: risk assessment methodology, risk treatment plan, Statement of Applicability |
| 7 | Support: resources, awareness, competence, communication, documented information |
| 8 | Operation: risk assessment, risk treatment implementation |
| 9 | Performance evaluation: monitoring, internal audits, management review |
| 10 | Improvement: nonconformities, corrective actions, continual improvement |
Statement of Applicability (SoA)
The SoA is the central document of your ISO 27001 programme. It lists all 93 Annex A controls and for each:
- Whether it is applicable or excluded (with justification for exclusions)
- Implementation status
- Reference to the implementing policy/procedure
The SoA is provided to auditors as proof of considered, documented control selection.
Risk Assessment
ISO 27001 requires a formal information security risk assessment:
- Asset inventory: Identify all information assets (systems, data, people, processes, facilities)
- Threat identification: What could go wrong? (Malware, insider threat, physical breach, misconfiguration)
- Vulnerability identification: What weaknesses exist that threats could exploit?
- Impact assessment: What would be the business impact if the threat materialised?
- Likelihood assessment: How likely is the threat to materialise given existing controls?
- Risk scoring: Combine likelihood × impact to prioritise
- Risk treatment: For each high-risk item: treat (implement controls), tolerate (accept), terminate (stop the activity), or transfer (insurance)
Priority Controls for Quick Wins
If starting from scratch, prioritise these Annex A controls first:
- A.8.8 — Management of technical vulnerabilities: Patch management programme
- A.8.2/A.8.3 — Privileged access management: Restrict and monitor privileged accounts
- A.8.5 — Secure authentication: MFA for all remote access and privileged accounts
- A.5.26 — Response to information security incidents: Documented incident response procedure
- A.8.13 — Information backup: Tested backup and recovery process
- A.6.3 — Information security awareness: Security awareness training for all staff
Chapter 4: SOC 2 Implementation
Common Criteria — Security (CC)
The Security Trust Services Criterion covers 9 control categories (CC1–CC9). The most implementation-intensive:
CC6 — Logical and Physical Access:
- User provisioning and deprovisioning processes
- MFA for remote access and privileged accounts
- Quarterly access reviews
- Role-based access control
- Encryption of data at rest and in transit
CC7 — System Operations:
- Vulnerability scanning programme
- Security monitoring and alerting
- Incident response procedure
- Change management process
CC8 — Change Management:
- Code review process
- Testing environments (separate from production)
- Change approval process
- Security testing before production deployment
CC9 — Risk Mitigation:
- Vendor risk assessment programme
- Business continuity and disaster recovery
Evidence Collection
SOC 2 Type II requires evidence that controls operated effectively during the audit period. Plan your evidence collection from day one:
| Control | Evidence Type | Collection Method |
|---|---|---|
| MFA enforcement | Screenshot of Conditional Access policy | Quarterly screenshot |
| Access reviews | Access review results with approvals | Quarterly review log |
| Vulnerability scanning | Scan reports with remediation status | Monthly export from scanner |
| Security training completion | Training platform completion records | Quarterly report |
| Incident response | Incident tickets with timelines | Incident log |
| Change management | PR/ticket history with approvals | Git/Jira export |
Use a GRC (Governance, Risk, and Compliance) platform to automate evidence collection: Vanta, Drata, Secureframe, or Tugboat Logic are purpose-built for SOC 2.
Vendor Selection: SOC 2 Auditor
The auditor is a CPA firm with SOC 2 expertise. Key selection criteria:
- AICPA membership and peer review
- Experience with your industry and size
- Reference checks from similar companies
- Cost: typically $15,000–$50,000 for Type II (varies significantly by scope and auditor)
Chapter 5: GDPR Implementation
Lawful Basis for Processing
Every processing activity must have a lawful basis:
| Basis | When to Use |
|---|---|
| Consent | Marketing, cookies, non-essential processing |
| Contractual necessity | Processing required to deliver your service |
| Legal obligation | Tax records, employment law requirements |
| Legitimate interests | Fraud prevention, security monitoring (balance test required) |
| Vital interests | Emergency healthcare (rare) |
| Public task | Government functions (rare) |
Most common for SaaS: Contractual necessity for processing customer data to deliver the service; consent for marketing.
Records of Processing Activities (RoPA)
Article 30 requires a written record of all processing activities:
Processing Activity: Customer Support
Controller: [Your Company]
Purpose: Responding to customer support tickets
Categories of data: Name, email, company, support ticket content
Lawful basis: Contractual necessity
Recipients: Zendesk (processor), [other sub-processors]
Retention: 2 years after contract end
Transfer safeguards: EU-US DPF (Zendesk)The RoPA is a living document — update it when you add new data processing activities.
Data Subject Rights
Implement processes to fulfil each right within statutory timeframes (1 month, extendable to 3 months for complex requests):
| Right | What It Requires |
|---|---|
| Access (Art. 15) | Provide a copy of all personal data held about the individual |
| Erasure (Art. 17) | Delete personal data; propagate to sub-processors |
| Portability (Art. 20) | Provide data in machine-readable format |
| Rectification (Art. 16) | Correct inaccurate data |
| Restriction (Art. 18) | Stop processing while a dispute is resolved |
| Objection (Art. 21) | Stop processing for direct marketing (absolute right) |
Implement a data subject request intake process (email address, web form) and internal workflow to fulfil requests within 30 days.
Data Protection Impact Assessments (DPIA)
Required for processing that is “likely to result in a high risk” — including:
- Large-scale processing of sensitive data (health, biometric, financial)
- Systematic profiling
- Processing of data about vulnerable populations
- Novel technologies (AI/ML on personal data)
- Data sharing with third parties at scale
A DPIA documents: the processing, its necessity, risks, and mitigations. It must be completed before the processing begins.
International Data Transfers
Transferring personal data outside the EEA requires a legal mechanism:
| Mechanism | When to Use |
|---|---|
| Adequacy decision | Transfers to countries with EU adequacy (UK, Israel, Japan, etc.) |
| EU-US Data Privacy Framework | Transfers to certified US companies |
| Standard Contractual Clauses (SCCs) | Transfers to any third country without adequacy |
| Binding Corporate Rules (BCRs) | Intra-group transfers for large multinationals |
For UK post-Brexit: UK SCCs (International Data Transfer Agreements — IDTAs) for transfers from UK to non-adequate countries.
Chapter 6: Building an Integrated Compliance Programme
The Single Programme Approach
Maintaining three separate compliance programmes is expensive and creates inconsistency. Build one integrated programme:
Unified policy framework: Write policies that satisfy all three frameworks simultaneously. An Access Control Policy that references RBAC (ISO 27001 A.8.3), user provisioning/deprovisioning (SOC 2 CC6), and purpose limitation (GDPR Art. 5) covers all three in one document.
Unified evidence repository: Use a GRC platform or structured SharePoint/Confluence to store evidence that satisfies multiple frameworks. A quarterly access review serves ISO 27001 A.8.2, SOC 2 CC6.2, and GDPR Art. 32 simultaneously.
Unified risk register: Maintain one risk register that includes information security risks (ISO 27001), operational risks that affect service availability (SOC 2 CC3), and data protection risks (GDPR Art. 35).
Implementation Sequence Recommendation
For an organisation starting from scratch targeting all three:
Phase 1 (Months 1–3): Foundation
- Asset inventory and data mapping (feeds all three frameworks)
- Risk assessment (ISO 27001 + GDPR DPIA assessment)
- Policy framework first draft
- Technical controls foundation: MFA, access control, encryption, logging
Phase 2 (Months 4–6): ISO 27001
- Complete ISMS documentation
- Stage 1 audit
- Implement remaining Annex A controls
- Stage 2 audit
Phase 3 (Months 7–9): GDPR
- RoPA completion
- Privacy notices updated
- Data subject request process implemented
- Sub-processor agreements (DPAs) signed
- International transfer mechanisms documented
Phase 4 (Months 10–18): SOC 2 Type II
- Evidence collection period begins
- Controls operating and evidence collected
- Type II audit report
GRC Tools
| Tool | Best For | Cost |
|---|---|---|
| Vanta | SMBs; SOC 2 + ISO 27001 automation | $$$$ |
| Drata | Mid-market; broad framework coverage | $$$$ |
| Secureframe | Good value; SOC 2 + ISO 27001 + GDPR | $$$ |
| Tugboat Logic | Mid-market; policy library | $$$ |
| Sprinto | Indian market; ISO 27001 | $$$ |
| Manual (Notion/Confluence) | Very small teams starting out | $ |
Chapter 7: Audit Preparation
ISO 27001 Audit Preparation
3 months before Stage 2:
- Complete internal audit across all ISO 27001 clauses and applicable Annex A controls
- Resolve all Major nonconformities identified in internal audit
- Conduct management review meeting (mandatory, must show leadership engagement)
- Ensure all mandatory documented information is current (policies, procedures, risk register, SoA, audit reports)
1 month before:
- Evidence pack ready for each Annex A control: policy reference + evidence of implementation
- All staff have completed information security awareness training
- Risk assessment and risk treatment plan reviewed and updated
SOC 2 Audit Preparation
Ongoing throughout audit period:
- Consistent evidence collection (access reviews, training completion, scan reports)
- All controls operating as designed — no gaps in evidence
1 month before audit report date:
- Evidence reviewed for completeness
- Any control gaps have compensating controls documented
- Vendor SOC 2 reports collected and reviewed
Common Audit Findings to Avoid
| Finding | How to Avoid |
|---|---|
| Policies not reviewed annually | Set calendar reminders; document review date in policy |
| Access reviews not completed on schedule | Put quarterly reviews in calendar; assign DRI |
| Missing training records | Use LMS with automated completion tracking |
| Undocumented exceptions to policy | Formal exception process with documented approvals |
| Risk register not updated | Quarterly risk review as standing agenda item |
| Vendor assessments not current | Annual vendor review calendar |
Conclusion
ISO 27001, SOC 2, and GDPR compliance is achievable for organisations of any size — the key is building a genuine security programme rather than paper compliance.
The most common mistake is treating compliance as a project that ends at certification. Compliance is an ongoing operational discipline. The organisations that get the most value from their compliance investments are those that use it as a forcing function to build security controls they would want anyway.
CyberneticsPlus provides gap assessments, ISMS implementation support, audit preparation, and ongoing compliance advisory for ISO 27001, SOC 2, and GDPR. Contact us to discuss your compliance programme.