ISO 27001 vs SOC 2 vs Cyber Essentials: Which One Does Your Startup Actually Need?
A decision framework for non-technical founders choosing between ISO 27001, SOC 2, and Cyber Essentials. With real costs, timelines, and an honest answer about which one to do first.
Someone just told you that you need to be "compliant." Maybe it was an enterprise customer on a sales call. Maybe an investor during due diligence. Maybe a partner who sent over a security questionnaire and you stared at it for 20 minutes before closing the tab.
So you Googled it. And now you're looking at SOC 2, ISO 27001, Cyber Essentials, HIPAA, GDPR, and a dozen other acronyms that all sound equally important and equally expensive.
Here's the good news. You almost certainly don't need all of them. Most startups need one, maybe two. The trick is figuring out which one actually matters for your business right now.
Which Framework Do You Actually Need?
The answer depends on one thing: who's asking.
Are your customers primarily in the US?
That decision tree covers 90% of cases. If you landed on an answer, you can skip ahead to that section. If you're still not sure, keep reading.
The Three Frameworks, Side by Side
Here's the honest comparison. Not the version from a compliance platform trying to sell you their software. The version from someone who's actually been through these audits.
| SOC 2 | ISO 27001 | Cyber Essentials | |
|---|---|---|---|
| Cost (startup) | $20,000-$60,000 | $15,000-$50,000 | £300-£3,000 |
| Timeline | 3-6 months | 6-12 months | 1-4 weeks |
| Geography | US (+ Canada, Australia) | Global (strongest in UK/EU) | UK only |
| Audit type | Report from CPA firm | Certification from accredited body | Self-assessment or external test |
| Valid for | 12 months (then re-audit) | 3 years (with annual surveillance) | 12 months |
| Difficulty | Moderate | High | Low |
| What you get | Audit report (not public) | Certificate (display it) | Certificate (display it) |
| Best for | US enterprise sales | Global enterprise sales, EU market | UK government contracts, quick baseline |
Two things stand out from this table.
First, Cyber Essentials is dramatically cheaper and faster than the other two. If you're early stage and not yet facing enterprise sales pressure, it's the obvious starting point. You can be certified in weeks, not months.
Second, SOC 2 and ISO 27001 cost roughly the same, but ISO 27001 takes longer. The tradeoff is recognition. SOC 2 is the standard in the US. ISO 27001 is the standard everywhere else. If you sell globally, ISO 27001 is stronger.
The 80% Overlap Nobody Talks About
Here's something the compliance industry doesn't advertise: these frameworks overlap significantly. Around 80% of the controls in SOC 2 map directly to ISO 27001 controls. And Cyber Essentials covers the foundational technical controls that both of the bigger frameworks require.
What does that mean in practice? If you do Cyber Essentials first, you've already handled the basics that SOC 2 and ISO 27001 both check for. Things like access control, firewall configuration, secure settings, malware protection, and patch management.
If you then do SOC 2, roughly 80% of the work carries over when you go for ISO 27001. You're not starting from scratch each time. You're building layers.
The overlapping controls include:
- Access control. Who can access what, and how is it enforced? All three frameworks check this.
- Encryption. Data encrypted in transit and at rest. Required by SOC 2 and ISO 27001. Cyber Essentials doesn't cover encryption directly, but its secure configuration controls are a starting point.
- Incident response. Do you have a plan for when things go wrong? SOC 2 and ISO 27001 both require this. Cyber Essentials doesn't, but you should have one anyway.
- Change management. How do you deploy code? Is there a review process? SOC 2 and ISO 27001 care about this deeply.
- Monitoring and logging. Can you detect and investigate security events? Both major frameworks require audit trails.
The unique parts are what differentiate them. SOC 2 optionally covers availability and processing integrity (most startups only include the mandatory Security criterion). ISO 27001 requires a formal Information Security Management System (ISMS) with risk assessments and management reviews. Cyber Essentials is purely technical controls, no process or governance requirements.
Which One to Do First
This is the question I get asked most. The answer is simpler than people expect.
If you've done nothing yet: Start with Cyber Essentials. It costs almost nothing, takes weeks instead of months, and forces you to get the basic technical controls in place. Those same controls are the foundation for everything else.
If an enterprise customer is asking for SOC 2: Go straight to SOC 2 Type 1. Don't wait. The customer is asking because they need it for their procurement process, and every week you delay is a week the deal sits in limbo. You can do Cyber Essentials in parallel since it's quick enough to not slow you down.
If you sell to UK/EU customers: ISO 27001 is your target. But it takes 6-12 months, so start with Cyber Essentials now (4 weeks) and begin the ISO 27001 journey alongside it.
If investors are asking about security: They don't usually need a specific framework. They want to see that you take security seriously and have a plan. A Cyber Essentials certificate plus a written security roadmap is usually enough for seed stage. By Series A, they'll want to see SOC 2 or ISO 27001 in progress.
If you haven't done any compliance work before, ISO 27001 is the wrong first step. It requires a formal ISMS, risk assessment methodology, management reviews, and internal audits. These are important, but they're governance overhead that makes no sense until you've got the technical basics in place. Start with Cyber Essentials, then build toward ISO 27001 with the foundation already laid.
The Consultant Trap
A compliance consultant will happily charge you $30,000-$50,000 to get ISO 27001 certified. They'll deliver 200 pages of policies, a risk register, and a statement of applicability. All beautifully formatted.
The problem? Those 200 pages are templates. They describe what your security should look like, but they don't actually make you secure. The policies say "we encrypt all data at rest." Great. Did anyone actually turn on encryption? The consultant doesn't know. They wrote the policy, not the code.
This is where having an engineer handle compliance makes a difference. An engineer doesn't just write that you have access controls. They implement the access controls. They configure the MFA. They set up the audit logging. They write the infrastructure-as-code that makes your security posture reproducible and auditable.
The policies still need to exist. But they should describe what's actually true, not what you wish were true.
Compliance Consultant vs Engineer Approach
| Feature | Consultant | Engineer |
|---|---|---|
| Writes security policies | ||
| Implements technical controls | ||
| Configures cloud security | ||
| Audit-ready documentation | ||
| Ongoing security monitoring | ||
| Typical cost | $30,000-$50,000 | $15,000-$40,000 |
| Policies match reality | Sometimes | Always |
| Can fix issues found in audit |
The best outcome is policies that are generated from your actual infrastructure. Your access control policy describes your actual IAM configuration. Your encryption policy reflects your actual KMS setup. When the auditor asks "show me evidence," you pull it from your live systems, not from a document someone wrote six months ago.
The Honest Answer
You probably came here hoping I'd tell you which framework to pick. So here it is.
Start with whatever your biggest customer is asking for.
If nobody's asking yet, start with Cyber Essentials. It's the cheapest, fastest way to build a security foundation, and everything else gets easier after you've done it.
If you're selling to US enterprises, that's SOC 2. If you're selling to UK or EU enterprises, that's ISO 27001. If you're selling to UK government, Cyber Essentials is mandatory for contracts involving cyber risk. For NHS suppliers, the DSPT (Data Security and Protection Toolkit) is the primary requirement.
Don't try to do everything at once. Pick the framework that unblocks revenue right now, get it done, and build from there. The 70% overlap means each subsequent framework is significantly less work than the first.
An architecture review can assess your current security posture and tell you exactly which framework to pursue first, what you already have in place, and what gaps need closing. It's a fraction of the cost of starting the wrong certification. If you already know you need ISO 27001, here's how I approach it as a fractional CTO.
Get posts like this in your inbox
Practical takes on engineering, compliance, and building products that work. No spam, unsubscribe anytime.
Robbie Cronin
Fractional CTO helping non-technical founders make better technical decisions. Based in Melbourne.
More about RobbieRelated articles
Your Enterprise Customer Just Asked for SOC 2. Here's What to Actually Do.
A week-by-week playbook for startups that just got the SOC 2 question on a sales call. Real costs, timelines, and what auditors actually check.
hipaaHIPAA Compliance for Startups: The $5K Version vs the $50K Version
Most healthtech startups overpay for HIPAA compliance. Here's what the engineer-led $5K version looks like, and why it's actually more secure than the $50K consultant version.
essential-eightPatch Management for Essential Eight: Timelines, Tools, and What Auditors Actually Check
The Essential Eight patching requirements are aggressive by design. 48 hours for critical vulnerabilities. Two weeks for internet-facing apps. Here's how to actually meet them, which tools work, and where most Australian businesses fail.