[mathie25]

The objective of most companies is to make money (let us be honest), thus the objective of the information security team is to make sure that the organization can achieve its objectives.

Thus, a lot of times, to sign customers, you need to be secured, as an IT/Security department can easily shut down any SaaS project if it is not secure enough. Having a certification like ISO 27001 or a report like SOC2 can really be helpful, and is sometimes a necessity. So ask yourself "does our company needs a SOC2/ISO 27001 to sign customers? Is it a blocker for our business?". You never want to achieve compliance "just because", you need a business reason to do it.

We started building our security program (ISMS) based on ISO 27001 (which is a really good basis in my opinion), but decided to get a SOC2 report instead. We started with a SOC2 type I report, then a type II. I personally find that a SOC2 is much more flexible than an ISO 27001 certification.

We mainly deal with big European customers, and SOC2 and ISO 27001 are seen as equal; never had a problem there. Most customers don't even read the report to be honest; it's a check in a box.

Having a SOC2 report or ISO 27001 certification shows that you care about security, and it sets the tone from the start.