SOC 2 is the report most American SaaS founders learn about first, mostly because it’s the one US enterprise buyers ask for. But the moment a sales pipeline starts filling with customers in Europe, the question changes. SOC 2 is a US-market audit report; ISO 27001 is the internationally recognized certification — and for a company selling globally, that difference isn’t cosmetic. It’s the difference between a security answer that lands with a European procurement team and one that makes them ask a follow-up question you don’t want to get.
Note on sourcing
The case below is Ongoing, a global warehouse management SaaS company, documented directly by A-LIGN (the accredited certification body Ongoing worked with), with a named quote from Ongoing’s CEO. It’s cited and linked throughout. This is not a B4Q client engagement — it’s included because it’s one of the clearest public examples of why a company chooses ISO 27001 specifically, and what a real certification partnership looks like.
The Company: Ongoing
Ongoing develops Ongoing WMS, a warehouse management system sold as SaaS with accompanying professional services, used by thousands of logistics companies worldwide. A warehouse management platform sits deep inside a customer’s operations — inventory, fulfillment, shipping data — which means security assurance isn’t a nice-to-have add-on to the sales conversation, it’s close to the whole conversation.
The Problem: One Standard, One Global Customer Base
With customers spread across many countries, Ongoing needed a way to assure every client that their data was protected — regardless of where in the world that client happened to be. That’s a materially different problem than a US-only SaaS company solves with SOC 2. Ongoing’s security practices were already reasonably strong, but they were split across different teams without one unified system tracking policies, evidence, and who owned which control. To meet rising enterprise demands and GDPR’s requirements at the same time, Ongoing needed to move from that fragmented state into a structured, formal Information Security Management System — the actual definition of what ISO 27001 certifies.
Why ISO 27001 Specifically
This is the part worth sitting with if you’re facing the same decision. ISO 27001 isn’t simply “the European SOC 2.” It’s a different kind of artifact, recognized under a completely different system: an internationally accredited certification, valid for three years with mandatory annual surveillance audits, versus SOC 2’s report structure that most US buyers expect refreshed annually. For a company selling globally rather than primarily to US enterprises, that international recognition is the entire point — European procurement teams often don’t have an internal category for “US CPA-issued attestation report” the way they do for an ISO certificate.
There’s also a regulatory current pulling in the same direction. The EU’s NIS2 Directive sets risk management requirements for entities it considers essential or important, and specifically references ISO 27001 as a relevant standard for demonstrating compliance with its Article 21 obligations. That’s not a marketing claim — it’s the certification showing up inside the actual regulatory text European companies are being measured against, which is part of why European supervisory authorities increasingly treat a certified ISMS as strong evidence of GDPR Article 32 compliance as well.
For companies weighing the cost, typical first-year investment for a 20–100 person SaaS company — covering gap analysis, a compliance platform, and Stage 1 plus Stage 2 audit fees — runs in the $20,000–$55,000 range. And the fines backdrop makes clear why European buyers don’t treat this as optional box-checking: regulators issued roughly €1.2 billion in GDPR fines across Europe in a single recent year, according to DLA Piper’s enforcement tracking.
What Ongoing Actually Did
Ongoing searched for a certification partner with genuine global reach and deep experience specifically with SaaS environments, ultimately working with A-LIGN as the accredited auditor and Vanta as the automation platform managing evidence collection and audit readiness. According to Ongoing’s CEO, Fredrik Einarsson, the company recognized early that ISO 27001 would demand a level of structure and rigor requiring an audit partner with real expertise and a track record — and that combination of clear leadership and deep experience is what turned what could have been an overwhelming process into a manageable, confidence-building one.
The two-vendor structure here is worth noticing: one company handled the automated evidence-gathering and readiness tracking, and a separate, accredited certification body performed the actual audit and issued the certificate. That split isn’t unique to Ongoing — it’s how ISO 27001 certification structurally works, the same way SOC 2 requires a licensed CPA firm regardless of which automation platform a company uses to get there.
Jones IT, a San Francisco-based managed IT services provider, took a related but distinct path worth mentioning as a second data point: having already achieved SOC 2 Type 2, they pursued ISO 27001:2022 specifically to build on that existing foundation rather than starting fresh. According to their own published account, the prior SOC 2 work meaningfully expedited the ISO 27001 timeline, bringing them to certification in six months — faster than a first-time certification typically runs, precisely because so much of the underlying risk management and control infrastructure already existed.
The Result
For Ongoing, certification delivered benefits beyond the certificate itself. A-LIGN’s rigorous audit methodology combined with Vanta’s automated evidence collection meaningfully reduced the internal administrative burden of the certification process. More directly commercial: the partnership accelerated Ongoing’s sales cycles, since a credible, high-quality audit report simplifies customer due diligence and speeds up deals that would otherwise stall in security review. Ongoing also built a public-facing Trust Center, giving customers on-demand access to security controls and certifications rather than requiring a fresh conversation with every new deal.
For Jones IT, the published outcome centers on client confidence and expanded market opportunities — the certification functioning as a competitive differentiator in conversations where a SOC 2 report alone didn’t fully answer a prospect’s question.
The Pattern Underneath Both Stories
- The trigger is almost always geographic or regulatory, not just “more security.” Ongoing needed one standard that worked across a genuinely global customer base; the driver wasn’t abstract risk reduction, it was a concrete gap between what they had and what international customers expected to see.
- Certification and automation are two different jobs, done by two different parties. Ongoing’s experience makes this unusually explicit: Vanta handled readiness and evidence, A-LIGN performed the actual accredited audit. Neither replaces the other.
- Prior compliance work is leverage, not a sunk cost. Jones IT’s SOC 2 foundation directly shortened their ISO 27001 timeline — a pattern that shows up constantly in this space and argues for sequencing certifications deliberately rather than treating each one as an isolated project.
- The certificate becomes sales infrastructure, not just a compliance artifact. Both companies describe using their certification proactively — a Trust Center, a competitive differentiator in sales conversations — rather than treating it as something that only gets pulled out when a prospect specifically demands it.
What This Means If You're Facing This Decision
If your pipeline is genuinely global, or if GDPR and NIS2-adjacent expectations are showing up in EU prospect conversations, ISO 27001 is doing a job SOC 2 structurally can’t do on its own: providing an internationally recognized certificate rather than a US-market report. If you already hold SOC 2, the Jones IT pattern is the efficient path — treat the existing work as a foundation, not a separate project, and expect a meaningfully shorter timeline than a first-time certification.
B4Q’s approach for a company in this position starts with mapping your actual customer geography against what SOC 2 alone currently covers, then scoping an ISO 27001 gap analysis that explicitly reuses whatever SOC 2 evidence and control work already exists rather than duplicating it. As with SOC 2, the certificate itself has to come from an accredited body after real audit fieldwork — automation tooling speeds up the readiness work, but it doesn’t replace the audit.
The Honest Caveat
Ongoing’s story doesn’t include hard before/after sales numbers the way some SOC 2 case studies do — “accelerated sales cycles” is a real, sourced claim, but it’s qualitative rather than quantified in the published material, and that’s worth being upfront about rather than implying more precision than the source actually provides. The €20,000–$55,000 first-year cost range and the six-month Jones IT timeline are useful planning anchors, not guarantees — actual cost and timeline depend heavily on how mature your existing controls are and how tightly you scope the certification.