ISO SOC2
Enterprise buyers ask for ISO 27001 or SOC 2 increasingly often — especially after NIS2 enforcement tightened across the EU. The cert opens deals worth hundreds of thousands of euros, but the preparation is months of policy authoring, evidence collection, and auditor coordination. We do all of it.
From “we want the cert” to “we have the cert”
Fixed-price engagement covering the full preparation cycle. The price doesn’t change if it takes longer; we take the risk on duration.
Gap Analysis
Detailed assessment of where you are today vs the control framework. Prioritized by audit-blocking severity. You see the full work list before signing.
Policy Authoring
The full policy suite written to your business: information security, acceptable use, access management, incident response, supplier management, change management, business continuity, disaster recovery.
Control Implementation
Technical controls deployed: MFA enforcement, logging configuration, vulnerability management, encryption at rest, backup verification, vendor risk assessment processes. Real implementation in your environment, with evidence collected as we go.
Evidence Collection
The evidence room every auditor asks for: access reviews, change logs, vulnerability scan history, training completion, vendor reviews, business continuity tests. Organized by control, ready to hand over.
Auditor Liaison
We work with your chosen auditor directly. We coordinate the audit timeline, prepare your team for interviews, respond to evidence requests, and manage findings remediation between Stage 1 and Stage 2 (or SOC 2 Type I / Type II).
Annual Surveillance
Once certified, the work isn’t over. Annual surveillance audits, continuous monitoring evidence collection, policy review cadence. Optional retainer keeps it all running.
The certification preparation process
Gap Analysis & Scoping
We assess your current controls against the relevant framework (ISO 27001 Annex A or SOC 2 Trust Services Criteria). Output: a prioritized gap list, a remediation timeline, and a fixed-price quote for the full preparation engagement.
Remediation & Policy Build
We author the policy suite, implement technical controls, run the vulnerability management program, and collect evidence in parallel. Weekly status updates keep you informed at every stage.
Audit
We coordinate the audit with your chosen certification body or CPA firm, manage the evidence room, prepare your team for auditor interviews, and handle Stage 2 or Type II findings. We stay on-call through the audit close.
Pen testing + ISO/SOC 2 is one engagement
ISO 27001 control A.8.8 requires vulnerability management. SOC 2 CC7.1 requires the same. Both demand evidence of regular external testing — which means our penetration testing service is already producing the artifact your auditor will want. Bundling the two means the testing cadence, the remediation tracking, and the audit evidence all run in one coordinated stream.
Our vCISO retainer typically rounds out the engagement: someone owns the security program on an ongoing basis, attends the audit, and represents your business in front of the auditor. Most clients run pen testing, ISO/SOC 2 preparation, and the vCISO retainer as one combined program.
Frequently asked questions
How long does ISO 27001 certification take?
From kickoff to certification decision, ISO 27001 typically takes 4–9 months depending on your starting point. Companies with no prior security controls take longer; those with existing security practices and documentation can move faster. Our gap analysis (week 1) gives you an accurate timeline estimate before the main engagement begins.
SOC 2 vs ISO 27001 — which do I need?
SOC 2 is primarily required by US enterprise buyers and is becoming standard for SaaS companies selling into the US market. ISO 27001 is more common in European enterprise procurement and is increasingly required under NIS2 supply-chain obligations. If you’re selling to both markets, or if your buyers are large multinationals, you may need both. We scope combined engagements that satisfy both frameworks with a shared evidence base — typically 20–35% cheaper than two separate programs.
How much does SOC 2 / ISO 27001 compliance cost?
Our fixed-price engagement for a single framework (ISO 27001 or SOC 2 Type I) starts from €25,000. SOC 2 Type II or a dual ISO 27001 + SOC 2 program is scoped individually. The engagement price covers gap analysis, policy authoring, technical control implementation, evidence collection, and auditor liaison. The certification body or CPA firm audit fee is separate (typically €5,000–€20,000 depending on organization size).
What’s the difference between SOC 2 Type I and Type II?
SOC 2 Type I is a point-in-time assessment: it confirms your controls are designed correctly as of a specific date. SOC 2 Type II covers a period of time (typically 6–12 months) and confirms your controls operated effectively throughout that period. Enterprise buyers and procurement teams overwhelmingly prefer Type II, as it proves operational consistency rather than just design intent. We recommend going straight to Type II unless you have a specific near-term deadline that requires a Type I bridge.
Do I need ISO 27001 for GDPR compliance?
ISO 27001 is not required by GDPR, but it substantially supports GDPR compliance. GDPR Article 32 requires “appropriate technical and organizational measures” to protect personal data — and an ISO 27001 ISMS is the most defensible evidence that those measures exist. Many DPAs and regulators view ISO 27001 certification as strong evidence of GDPR compliance for the security obligations. If you process significant volumes of EU personal data, ISO 27001 is worth pursuing for regulatory risk management alone.
Can you handle both SOC 2 and ISO 27001 in one engagement?
Yes, and we recommend it if both are required. The control frameworks overlap significantly: approximately 70% of ISO 27001 Annex A controls map to SOC 2 Trust Services Criteria. We run a unified evidence collection program that satisfies both, cutting the total cost and elapsed time compared to running two separate programs sequentially. We’ll advise on sequencing based on which certification your buyers are demanding first.
Compliance, without the consulting-firm tax
Tell us which cert you’re going for and what evidence you already have — we’ll come back with a scope and a fixed price.
Contact us → Penetration Testing →