When evaluating IT service providers, SOC 2 and ISO 27001 are the two certifications most frequently referenced as indicators of security maturity. Both are legitimate, both require substantial organizational effort to achieve, and both are regularly misunderstood — by vendors who hold them and by clients who require them.
Understanding what each certification actually assesses helps businesses ask better questions and make more informed vendor decisions.
What each certification measures
| Attribute | SOC 2 | ISO 27001 |
|---|---|---|
| Issuing body | AICPA (US CPA firms) | ISO/IEC (international accreditation bodies) |
| Focus | Controls over data in a specific service | Information security management system (ISMS) |
| Scope | Defined by the service provider | Defined by the organization, covers entire ISMS |
| Assessment type | Attestation by CPA firm | Certification audit by accredited registrar |
| Report output | Detailed report (Type I or Type II) | Certificate + Statement of Applicability |
| Validity | Point-in-time (Type I) or period (Type II, typically 12 months) | 3-year certificate with annual surveillance audits |
| Geography | Predominantly US/North America | Global recognition |
| Cost for MSP | $30,000-$100,000+ for audit | $20,000-$80,000+ for certification audit |
SOC 2: operational control verification
SOC 2 reports assess whether a service provider's controls are designed and operating effectively against the AICPA's Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. The provider chooses which criteria to include — security is required; the others are optional.
The critical distinction is between Type I and Type II:
- Type I evaluates whether controls are designed appropriately at a specific point in time. It's a snapshot.
- Type II evaluates whether controls operated effectively over a defined period, typically 6-12 months. It's evidence of sustained practice.
A SOC 2 Type II report is substantially more valuable than Type I because it demonstrates that the provider actually follows its documented procedures, not just that the procedures exist on paper. When an IT provider offers only a Type I report, ask when they plan to complete Type II — and why they haven't already.
ISO 27001: management system certification
ISO 27001 certifies that an organization has established, implemented, and maintains an Information Security Management System (ISMS) — a systematic approach to managing sensitive information through risk assessment, control implementation, and continuous improvement.
Where SOC 2 asks "are your controls working?", ISO 27001 asks "do you have a system for identifying risks, implementing controls, and improving over time?" The emphasis is on the management system itself, not just the individual controls.
ISO 27001 includes Annex A, which lists 93 reference controls (updated in the 2022 revision) across organizational, people, physical, and technological domains. The organization documents which controls apply and which don't in a Statement of Applicability (SoA). The certification audit verifies that the ISMS is functioning and that applicable controls are implemented.
SOC 2 proves your provider's controls work. ISO 27001 proves they have a system for ensuring controls continue to work as threats and requirements change.
Which one matters for your situation
- US-based business, domestic IT provider, SaaS or cloud focus: SOC 2 Type II is the standard expectation. Most enterprise procurement processes in the US require it.
- International operations or EU clients: ISO 27001 carries more recognition globally. EU-based partners and regulators are more familiar with ISO standards.
- Regulated industry (healthcare, finance, defense): Both may be required or expected. SOC 2 for operational evidence, ISO 27001 for management system maturity.
- Small business with limited compliance requirements: Either certification signals meaningful security investment by the provider. Prefer Type II SOC 2 or current ISO 27001 over Type I SOC 2 or expired certifications.
What to watch for
Red flags in provider certifications
- SOC 2 Type I only — no evidence that controls actually operate over time. Ask for the Type II timeline.
- Narrow SOC 2 scope — the provider may exclude key services from the audit scope. Ask what's covered and what isn't.
- Expired ISO 27001 — certification is valid for 3 years with annual surveillance audits. An expired certificate means the ISMS hasn't been verified recently.
- Won't share the report — SOC 2 reports are confidential but should be available under NDA. ISO 27001 certificates are typically public. A provider unwilling to share either raises questions.
- "In progress" indefinitely — some providers claim they're "working toward" certification without a completion date. This has no compliance value.
The strongest IT service providers hold both — SOC 2 Type II for operational assurance and ISO 27001 for management system maturity. For businesses evaluating providers, either current certification is a meaningful signal. Neither certification is one.