A mid-sized Indian SaaS company received a questionnaire from a potential US enterprise customer. Page three asked: "Do you hold a SOC 2 Type II report?" The company did not. The deal stalled for six months while they scrambled to get one. Meanwhile, their European distributor had been asking about GDPR compliance for two years. And their Series A investor wanted ISO 27001 before closing.
Information security compliance is increasingly a commercial prerequisite, not just a regulatory obligation. This guide explains what ISO 27001, SOC 2, and GDPR actually cover, who needs each one, and how to approach them without wasting time and money on the wrong framework.
ISO 27001: The Global Information Security Management Standard
ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). Published by the International Organisation for Standardisation, it specifies requirements for establishing, implementing, maintaining, and continually improving information security across the organisation.
What It Covers
ISO 27001 is a risk-based framework. Rather than prescribing specific technical controls, it requires you to:
- Identify your information assets and the risks to them
- Implement controls from Annex A (114 controls across 14 categories) proportionate to those risks
- Document policies, procedures, and evidence of control operation
- Undergo internal audits and management reviews
- Achieve third-party certification from an accredited auditor
Annex A covers access control, cryptography, physical security, supplier relationships, incident management, business continuity, and more. The 2022 revision (ISO 27001:2022) added new controls for cloud security, threat intelligence, and data masking.
Who Issues the Certificate?
Accredited certification bodies (CBs) โ such as BSI, TรV Rheinland, Bureau Veritas, or Indian bodies like BIS-empanelled CBs โ conduct Stage 1 (documentation review) and Stage 2 (implementation audit) audits. Certificates are valid for three years with annual surveillance audits.
SOC 2: US Trust Services Criteria for Cloud and SaaS
SOC 2 (Service Organisation Control 2) is a US standard developed by the American Institute of Certified Public Accountants (AICPA). It assesses how a service organisation manages customer data based on five Trust Services Criteria (TSC):
- Security (mandatory for all SOC 2 reports)
- Availability (optional, relevant for uptime-sensitive services)
- Processing Integrity (optional, relevant for financial processing)
- Confidentiality (optional, for confidential data handling)
- Privacy (optional, for personal information processing)
Type I vs Type II
- SOC 2 Type I: Assesses whether controls are designed appropriately at a point in time. Faster to achieve (3โ4 months from start). Less trusted by sophisticated buyers.
- SOC 2 Type II: Assesses whether controls operated effectively over an observation period (minimum 6 months, typically 12 months). This is the gold standard that enterprise US customers require.
How It Differs from ISO 27001
ISO 27001 is a management system certification โ you either have it or you do not. SOC 2 produces a report, not a certificate, and that report is typically shared confidentially with specific customers or prospects under NDA. SOC 2 is more prescriptive about cloud and SaaS-specific controls; ISO 27001 is broader in scope.
GDPR: EU and UK Data Privacy Regulation
The General Data Protection Regulation (GDPR) is not a certification โ it is a binding legal regulation that applies to any organisation that processes personal data of EU or UK citizens, regardless of where the organisation is located.
What It Requires
- Lawful basis for processing: Every use of personal data must have a documented legal basis (consent, legitimate interest, contract, legal obligation, vital interests, or public task)
- Data subject rights: Individuals must be able to access, correct, delete, and port their data. Requests must be responded to within 30 days.
- Data Protection Officer (DPO): Required for organisations that process personal data at scale or process special category data
- Privacy by Design: Privacy considerations must be embedded in system design from the outset
- Breach notification: Data breaches must be reported to supervisory authorities within 72 hours and to affected individuals "without undue delay"
- Data Processing Agreements (DPAs): Required with every vendor that processes personal data on your behalf
- Cross-border transfer restrictions: Personal data cannot be transferred outside the EU/EEA without appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules, or adequacy decision)
India and GDPR
An Indian company that serves EU customers, employs EU residents, or processes personal data about EU citizens must comply with GDPR. Non-compliance penalties can reach โฌ20 million or 4% of global annual turnover โ whichever is higher. India's own Digital Personal Data Protection Act (DPDPA) 2023 parallels GDPR in several respects, though enforcement timelines differ.
Who Needs Each Framework?
| Your Situation | You Need |
|---|---|
| Selling software or services to enterprise customers globally | ISO 27001 (most universally recognised) |
| US SaaS customers asking for security questionnaire or report | SOC 2 Type II |
| Processing personal data of EU/UK citizens | GDPR compliance (legal obligation, not optional) |
| Indian fintech or BFSI company | RBI Cybersecurity Framework + ISO 27001 recommended |
| Healthcare company handling patient data | ISO 27001 + relevant health data regulations |
| Government or defence contractor | ISO 27001 (often mandated in RFPs) |
How ISO 27001, SOC 2, and GDPR Complement Each Other
These frameworks are not mutually exclusive โ they are complementary, and achieving one makes the others easier:
- ISO 27001 + SOC 2: Approximately 60โ70% of ISO 27001 controls map to SOC 2 Trust Services Criteria. An organisation that has implemented ISO 27001 has done most of the heavy lifting for SOC 2. The incremental effort to achieve SOC 2 after ISO 27001 is significantly lower than starting from scratch.
- ISO 27001 + GDPR: ISO 27001's requirements for data classification, access control, and incident management directly support GDPR obligations. ISO 27001 does not cover all of GDPR (legal basis, data subject rights, and DPA agreements are outside its scope), but it provides a strong foundation.
- The GRC Platform approach: Compliance automation platforms like Vanta, Drata, and Sprinto can simultaneously track controls across ISO 27001, SOC 2, and GDPR, dramatically reducing the documentation and evidence-gathering burden for multiple frameworks.
Implementation Timeline and Cost
ISO 27001
- Timeline: 3โ6 months for organisations up to 200 people with engaged management
- Cost (India): โน5L โ โน20L for implementation support + certification audit
- Ongoing: Annual surveillance audit (โน1.5L โ โน3L) + internal audit programme
- Key effort: Gap assessment, risk assessment, policy documentation, control implementation, staff awareness training
SOC 2 Type II
- Timeline: 6โ12 months minimum (Type II requires an observation period of at least 6 months)
- Cost: $15,000 โ $50,000 USD for audit; readiness and implementation support varies widely
- Key effort: Readiness assessment, control implementation, evidence collection over the observation period, auditor selection and engagement
- Pro tip: Use a compliance automation platform (Vanta/Drata) to reduce evidence collection burden by 60โ80%
GDPR Compliance
- Timeline: Initial compliance programme: 2โ4 months; ongoing compliance is perpetual
- Cost: โน3L โ โน10L for initial GDPR gap assessment and remediation (legal + technical); DPO retainer if required
- Key effort: Data mapping (Record of Processing Activities), privacy policy updates, DPA agreements with vendors, consent mechanism implementation, breach response procedures
RBI Cybersecurity Framework for Indian Fintech
Indian fintech companies regulated by the Reserve Bank of India (RBI) must comply with the RBI Cybersecurity Framework for Banks and NBFCs, which includes:
- IT Governance and Risk Management requirements aligned with the RBI Master Direction on IT
- Cyber Security Operations Centre (C-SOC) requirement for larger entities
- Mandatory reporting of cybersecurity incidents to RBI within prescribed timelines
- Annual VAPT (Vulnerability Assessment and Penetration Testing) by CERT-In empanelled auditors
- Data localisation requirements: certain payment system data must be stored exclusively in India
- Third-party risk management requirements for cloud and outsourcing arrangements
ISO 27001 significantly supports RBI framework compliance by providing the underlying ISMS structure. However, RBI-specific requirements (particularly data localisation and incident reporting timelines) require additional attention beyond what ISO 27001 mandates.
Get a Compliance Roadmap Tailored to Your Business
The right compliance strategy depends on your customer base, industry, and growth plans. A B2B SaaS targeting US enterprises needs SOC 2. A company with EU customers needs GDPR compliance. An enterprise technology company that sells to global corporates should pursue ISO 27001. Most scaling companies eventually need all three.
Unicrats provides cybersecurity services including compliance readiness assessments, ISO 27001 implementation support, and security audits. Our team helps you understand exactly which frameworks apply to your business, the most cost-effective path to achieving them, and how to build a security posture that satisfies multiple frameworks without duplicating effort. Schedule a compliance consultation with our security team.