BG Beter Geregeld ICT
Compliance · 2 min leestijd · 25 November 2025

ISO 27001 or SOC 2? Which one fits your Dutch SMB?

ISO 27001 is Europe-oriented, SOC 2 is American. Which one do your clients actually need — and can you combine them? Here's the practical difference for an SMB.

The short version: do you have EU clients? Go ISO 27001. Do you have US clients? Go SOC 2. Do you have both? Consider ISO 27001 + SOC 2 Type II — they overlap by 70–80%.

Differences in philosophy

  • ISO 27001: a certificate, valid for three years, with an annual surveillance audit. Demonstrates that your ISMS is working.
  • SOC 2: a report, issued annually or bi-annually. Demonstrates that your controls worked over a specific period.

Trust Service Criteria (SOC 2)

SOC 2 has 5 criteria: Security (always required), Availability, Confidentiality, Processing Integrity, and Privacy. You choose which ones to have assessed. For most SMBs: Security + Confidentiality.

What do clients ask for?

  • US tech clients: almost always ask for SOC 2 Type II.
  • EU enterprise: ISO 27001 is the standard request.
  • EU government: ISO 27001 + sometimes BIO.
  • Financial services: both + specific sector requirements.

Combining them

Many SMBs growing internationally start with ISO 27001 (easier to "build on" with a single certificate) and then add SOC 2 on top of the existing control set. Overlap > 70%, so the duplicate effort is minimal.

See also: ISO 27001 pillar, certification costs.

Onderwerpen

#iso-27001 #compliance #soc-2 #internationaal

Volledige gids: ISO 27001 para pymes sin gastar €50k en consultores

Dit artikel is onderdeel van onze uitgebreide Compliance-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Compliance

ISO 27001 for SMBs without €50k in consultancy fees

ISO 27001 is manageable once you understand the structure. Here's the minimum work a 30-person SMB needs to pass a Stage 2 audit, what it costs, and where consultants actually add value.

2 min
Compliance

NIS2 and SMEs: does your business fall under the directive?

NIS2 is the successor to NIS1 and significantly widens the scope. Many SMEs in "ordinary" sectors now suddenly qualify as essential or important entities.

2 min
Compliance

DORA for SMB Suppliers to Financial Institutions

From January 2025, every bank, insurer, or investment fund expects its suppliers to be DORA-compliant. As an SMB supplier, those requirements will land in your contracts.

2 min
Compliance

ISO 27001 costs: from initial gap analysis to certificate

A realistic budget breakdown for a 30-person SMB. Internal hours, external audit, consultancy (kept to a minimum), and annual maintenance. No marketing fluff.

2 min
Compliance

NEN 7510 for healthcare businesses: a step beyond ISO 27001

Do you work in or with healthcare? Then NEN 7510 — alongside or instead of ISO 27001 — is a real requirement. The overlap is significant; the differences lie in patient data and specific Annex controls.

2 min
Compliance

The management review: what goes in it and who takes part?

One of the clause-9 requirements of ISO 27001. Annual, with senior management, 2 hours. Here is the agenda that an auditor will accept — and that works as a practical exercise for you.

2 min
← Alle artikelen in "Compliance"