The Question Every Growing MSP Client Eventually Asks
At some point in every security advisory engagement, a client asks the same question.
“We’ve been asked to get ISO 27001 certification. But one of our US customers said we need SOC 2. Which one should we do?”
It’s a fair question and there’s no single right answer — it depends on who their customers are, what geography they’re selling into, and what their growth plans look like. But MSPs who can answer it confidently, with a clear framework for making the decision, position themselves very differently from those who say “it depends” and leave the client to figure it out.
This guide is for MSPs who want to advise clients well on this decision — and who want to package that advisory into a service.
What Each Framework Actually Does
ISO 27001
ISO 27001 is an international standard published by the International Organization for Standardization. It defines the requirements for an Information Security Management System (ISMS) — a set of policies, procedures, processes, and controls that an organisation uses to manage information security risks systematically.
The key word is system. ISO 27001 isn’t just a checklist of technical controls. It requires an organisation to establish, implement, maintain, and continually improve an ISMS — which means documented processes, defined ownership, regular risk assessments, internal audits, and management reviews. The standard has 93 controls in Annex A (reorganised in the 2022 update from 114 in the 2013 version), but which controls apply depends on the organisation’s risk assessment. Not every control applies to every business.
The audit process is a formal third-party certification. A client engages an accredited certification body (BSI, Bureau Veritas, SGS, DNV, etc.), goes through a Stage 1 documentation review and a Stage 2 on-site audit, and if they pass, receives an ISO 27001 certificate. That certificate is valid for three years, with annual surveillance audits.
ISO 27001 is the dominant security standard in the UK, Europe, Middle East, and much of Asia-Pacific. It’s recognised by regulators, government procurement, and enterprise buyers across those markets. If your client is selling outside North America, ISO 27001 is almost certainly the framework they need.
SOC 2
SOC 2 is different in character. It’s not a certification — it’s an attestation report. A licensed CPA firm (a Certified Public Accountant firm accredited for SOC audits) audits an organisation against the AICPA’s Trust Services Criteria (TSC) and produces a report that describes their controls and whether those controls operated effectively over the audit period.
There are two types. SOC 2 Type I is a point-in-time attestation — it says “here are the controls this organisation has in place as of this date.” SOC 2 Type II covers an audit period, typically six to twelve months, and says “here are the controls and here’s evidence they actually worked throughout this period.” Enterprise buyers care about Type II. Type I is useful for early-stage startups trying to get to Type II.
SOC 2 has five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. Most organisations start with Security only; the others are added based on what clients require or what’s relevant to the service.
SOC 2 originated in the US financial services and software sectors, and it’s the dominant requirement for US technology companies selling to US enterprise buyers. If a client is selling B2B SaaS in the US and their procurement teams are asking for security documentation, a SOC 2 Type II report is what they want to see.
The Decision Criteria
Here’s how to advise clients on which to pursue.
Go with SOC 2 first if:
- They’re a US-based company selling primarily to US enterprise customers
- Their sales team is losing deals because prospects ask for security documentation and they have nothing to share
- They’re in a category where SOC 2 has become table stakes — cloud infrastructure, SaaS, payroll software, HR tech, fintech
- Their compliance timeline is driven by a specific deal or enterprise prospect requirement
- They need to show evidence controls operated effectively over time (Type II), not just that they exist
Go with ISO 27001 first if:
- They’re a UK or European company, or selling into those markets
- They supply to government, NHS, regulated financial services, or defence contractors in the UK
- Their prospects are asking for evidence of a security management system, not just a controls audit
- They want international recognition that works across multiple markets
- They’re building a foundation for a long-term compliance programme
Pursue both if:
- They’re a UK or European SaaS company with US ambitions (or vice versa)
- They’re multi-market and need to satisfy different buyer requirements
- They’ve already done one and are getting asked for the other by new customer segments
- They want the most defensible security posture — an organisation with both certifications has a harder position to challenge than one with either alone
The practical reality is that more clients end up needing both than they expect. US software companies expand into Europe and find out ISO 27001 is the price of entry for enterprise deals there. UK companies raising investment from US VCs find their prospective portfolio acquirers all want SOC 2. Building toward both from the start — even if you certify one before the other — is usually the right long-term call.
How the Audit and Ongoing Maintenance Work
The practical differences in how each certification is managed matter a lot when you’re advising clients on what they’re actually committing to.
ISO 27001 maintenance:
After initial certification, clients face annual surveillance audits and a full recertification audit every three years. Surveillance audits are lighter — they check that the ISMS is being maintained, not a full controls review — but they’re not trivial. Clients need to keep their risk register updated, their internal audit programme running, management reviews documented, and their controls evidence current. Without ongoing management, organisations slip between surveillance audits and face remediation scrambles.
This is exactly the kind of ongoing programme that a vCISO or compliance service is built to manage. The certification body auditor doesn’t care if the controls are being managed by an in-house team or an external provider — they care that the ISMS is being maintained. That creates a clean service model for MSPs.
SOC 2 Type II maintenance:
SOC 2 Type II is continuous by nature. The audit period typically runs for twelve months, meaning the audit for next year’s report effectively starts the day after this year’s is complete. That continuous evidence collection requirement — logs, access reviews, change management records, security incidents, risk assessments — is intensive if managed manually.
Unlike ISO 27001, there’s no annual surveillance audit; there’s just the next Type II audit period. But clients who let their controls lapse between audits end up with findings in their report, which creates friction in sales conversations. Continuous control operation is the only way to have a clean SOC 2 report.
For MSPs delivering a recurring compliance programme, this ongoing evidence collection is where a GRC platform with cloud integrations pays for itself. Pulling access logs manually for 500 users every quarter is not a service that scales.
Where the Controls Overlap
One of the least-discussed practical realities of doing both ISO 27001 and SOC 2 is how much they share.
Both frameworks require:
- A formal risk assessment process
- Access control policies and access reviews
- Incident response planning and management
- Change management procedures
- Vendor and third-party risk management
- Business continuity and disaster recovery planning
- Logging, monitoring, and alert management
That’s the bulk of the control work for either framework. If a client has done ISO 27001 first and built out a proper ISMS, the marginal effort to achieve SOC 2 is genuinely manageable. The risk assessment, policies, and evidence collection processes are already in place. The gap is mostly in the specific Trust Services Criteria evidence requirements and the audit period documentation that SOC 2 demands.
The reverse is also true: a client with a SOC 2 Type II report already has most of what ISO 27001 certification requires — they just need to formalise the ISMS structure, fill in the controls that SOC 2 doesn’t specifically require (ISO 27001 has some controls, particularly around physical security and HR, that aren’t prominent in SOC 2), and go through the certification audit process.
Using a multi-framework GRC platform that maps controls across ISO 27001 and SOC 2 simultaneously means that evidence collected for one automatically counts toward the other. In practice, this reduces the total compliance programme overhead by 30–40% compared to running them independently.
What MSPs Get Wrong About This Advisory
Most MSPs who try to advise clients on framework selection make the same mistakes.
Mistake 1: Leading with the answer instead of the business context. The right framework depends on where the client sells and where they plan to sell. An MSP who immediately recommends ISO 27001 because that’s what they know best is doing the client a disservice if the client’s growth is in the US market. Start with the business context, then the framework.
Mistake 2: Underestimating ongoing maintenance. Clients often ask “what does it take to get certified?” without fully understanding the ongoing commitment. ISO 27001 certification without a maintenance programme is a certificate that doesn’t reflect reality within 18 months. SOC 2 Type II without continuous evidence collection produces a findings-heavy report. The value of the certification degrades without ongoing management.
Mistake 3: Treating the certification as the goal. The certification is a commercial output. The goal is a security posture that satisfies auditors and buyers. An MSP who helps a client achieve a certificate but leaves them without a maintenance programme has created a short-term win and a long-term problem. Frame the conversation around the ongoing programme, not the certificate.
Mistake 4: Ignoring the auditor relationship. For ISO 27001, the choice of certification body matters. Some certification bodies are recognised by specific government procurement frameworks or sector regulators; others are UKAS-accredited (UK Accreditation Service) or equivalent. For SOC 2, the CPA firm matters — particularly for US enterprise buyers who may want a recognised name. MSPs who can bring referrals to appropriate auditors add real value to the process.
Building a Framework Advisory Service
The ISO 27001 vs SOC 2 question is a service opportunity, not just a question to answer.
Here’s how to structure it as a billable engagement:
Step 1 — Framework Selection Workshop (fixed fee: £800–£1,500)
A two-hour session with the client’s leadership and the salesperson (or Head of Sales, if available). Cover:
- Current and planned customer base by geography
- Which prospects have requested security documentation in the last 12 months
- Any existing framework requirements from contracts or partner agreements
- Growth roadmap for the next 24 months
Output: a recommendation on which framework to pursue first, with a high-level rationale, timeline estimate, and order-of-magnitude cost range. This is not an assessment — it’s an advisory session. It moves fast and demonstrates expertise without consuming significant delivery time.
Step 2 — Gap Assessment (fixed fee: £2,500–£5,000)
A structured assessment against the recommended framework. Document what’s in place, what’s partially implemented, and what’s missing. Map gaps to specific control requirements. Prioritise remediation by audit readiness impact.
Output: a gap report with a remediation roadmap and a recommended scope for an ongoing compliance programme. The gap report almost always sells the next step.
Step 3 — Ongoing Compliance Programme (recurring: £2,000–£6,000/month)
The ongoing vCISO or compliance programme that maintains the ISMS and manages continuous evidence collection. At this stage, the client has committed to the certification journey and needs a provider to run it. This is the high-value recurring engagement.
The framework selection workshop and gap assessment are entry points. Their job is to get to Step 3.
The Multi-Framework Client Is Your Most Valuable Client
If you have a client who needs both ISO 27001 and SOC 2, that’s your ideal compliance programme client.
Not because it’s more complex — it’s not dramatically more complex if you’re using shared controls. But because the switching cost is high. A client with two certifications managed by your team has a much higher barrier to switching providers than a client with one. Their compliance posture, evidence library, policy library, and audit relationships are all embedded in your programme.
Multi-framework compliance clients that are correctly set up with a GRC platform that handles both frameworks in a shared-controls model are genuinely sticky. They renew, they expand, and they don’t leave unless the relationship breaks down.
That’s the business case for building framework advisory capability into your MSP offering now, before this becomes standard practice in the market.
The Bottom Line
ISO 27001 and SOC 2 answer different questions from different audiences. ISO 27001 says “this organisation runs a systematic security programme.” SOC 2 says “this organisation’s controls worked as described over the last year.” Both are legitimate. Both are valuable. And a growing number of MSP clients will eventually need both.
MSPs who can guide clients through this decision, deliver the gap assessment, and run the ongoing compliance programme are solving a problem that’s becoming more common and more commercially significant every year. Framework advisory is not a niche offering — it’s table stakes for any MSP building a security practice.
If you want to see how GetCybr’s platform supports ISO 27001, SOC 2, and multi-framework delivery for MSPs, book a demo and we’ll walk you through it →
Further Reading
Ready to Scale Your vCISO Practice?
See how GetCybr helps MSPs deliver enterprise-grade security services.
