Umay AI Logo
Back to Blog
Compliance
2026-05-08
11 min read

GDPR vs ISO 27001 vs SOC 2: Which Compliance Framework Actually Fits Your Company

Goktug Onyer

Cybersecurity Lead

Compliance documents

"We need to be compliant" is one of the most common — and most confused — requests we get. There's GDPR, ISO 27001, SOC 2, KVKK, HIPAA, PCI DSS, NIS2, the AI Act, and a dozen sector-specific regimes on top. They overlap, they contradict, and most companies pursue the wrong one first.

This is a clear-headed walkthrough of the three most asked-about frameworks, who actually needs each one, and roughly what it costs.

What each one is, in one sentence

  • GDPR (and KVKK in Turkey, similarly LGPD in Brazil, CCPA in California) — a law. You don't "get certified" in GDPR. You either comply with it or you don't, and regulators can fine you up to 4% of global annual revenue if you don't.
  • ISO 27001 — an international standard for information-security management systems. You can get formally certified by an accredited auditor. Useful as a buying signal in B2B, especially in Europe.
  • SOC 2 — an American auditor's report(issued by a CPA firm) attesting that your controls meet specified criteria. There's a Type 1 (point in time) and Type 2 (over a period, usually 6–12 months). The de-facto standard for selling SaaS into US enterprises.

Who actually needs each one

GDPR / KVKK: everyone, no exceptions

If you have a website that's reachable from the EU and collects any personal data — a contact form, analytics, a newsletter — you're in scope. Same for KVKK if any of your users are in Turkey. There's no opt-out and no certification to chase; the compliance work is structural:

  • Maintain a Record of Processing Activities (RoPA): every category of personal data you collect, why, where it's stored, who has access, how long you keep it.
  • Publish a privacy notice that actually matches what you do (not a templated one).
  • Implement lawful basis for each processing activity (consent, contract, legitimate interest, etc.).
  • Respond to data-subject requests (access, deletion, portability) within the 30-day window.
  • Sign Data Processing Agreements with every vendor that touches personal data on your behalf (Google Workspace, Stripe, your email provider, hosting, etc.).
  • For transfers outside the EU: Standard Contractual Clauses plus a transfer impact assessment.
  • Notify your supervisory authority (in Austria, the DSB; in Turkey, the KVKK's authority) within 72 hours of a notifiable breach.

Realistic cost. €3–10k for a one-off consultancy engagement to set this up properly, plus 4–8 hours/month of internal effort to maintain. Fines for non-compliance start in the tens of thousands and go up sharply with company size.

ISO 27001: when European enterprise customers ask for it

ISO 27001 establishes an Information Security Management System (ISMS) — a documented, audited approach to identifying risks and applying controls. The current version (ISO 27001:2022) has 93 controls in Annex A, organised into four themes: organisational, people, physical, and technological.

You should pursue ISO 27001 when:

  • You sell B2B in Europe and prospects ask "are you ISO certified?" (this is increasingly table stakes for enterprise procurement)
  • You handle sensitive personal data at scale (healthcare, fintech, education)
  • You need a structured way to manage security across multiple teams/locations and want an external auditor to keep you honest

Realistic cost and timeline. First-time certification typically runs €25–80k all-in for a 50-person company, including:

  • 3–6 months of preparation (gap assessment, policy authoring, risk register, control implementation)
  • Stage 1 audit (documentation review)
  • Stage 2 audit (operational review) by an accredited certification body
  • Annual surveillance audits + a full recertification every 3 years

A good consultancy can compress preparation to ~12 weeks. Don't try to DIY it the first time — the document trail alone is a part-time job for three months.

SOC 2: when you sell SaaS into US enterprises

SOC 2 reports are organised around five Trust Service Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. Almost everyone scopes to Security + Confidentiality + maybe Availability.

Pursue SOC 2 when:

  • You sell SaaS into US enterprise customers — they will require a SOC 2 Type 2 report before they sign
  • You're raising venture funding and want to remove security from the due-diligence path

Realistic cost and timeline. Type 1 can be done in 2–3 months for €15–30k. Type 2 requires an observation window of 6–12 months and runs €30–60k all-in including auditor fees.

Tooling matters here. Platforms like Vanta, Drata, Secureframe, and Sprinto automate evidence collection (linking your AWS, Okta, GitHub, etc.) and can cut the prep work by 50–70%. They cost €8–25k/year on top of audit fees but are worth it for any company under ~200 employees.

Where they overlap (and where they don't)

About 60–70% of the controls overlap between ISO 27001, SOC 2, and a well-implemented GDPR programme. That means once you've done one properly, the second is faster.

Key non-overlapping bits to plan for:

  • GDPR is a continuous legal obligation. ISO and SOC 2 don't replace it — even with both certifications, you still need a RoPA, DPAs with vendors, and a DPO if you're processing personal data at scale.
  • ISO 27001 emphasises risk assessment and continual improvement (PDCA). SOC 2 emphasises evidence of controls operating over a period. The auditing styles are quite different.
  • SOC 2 is point-in-time per criterion. ISO 27001 is broader scope and more management-system oriented.

The order most companies should pursue

  1. GDPR / KVKK first, always. It's the law. Get the RoPA, privacy notice, DPAs, and breach plan in place.
  2. If you sell to European enterprises — pursue ISO 27001 next.
  3. If you sell SaaS to US enterprises — pursue SOC 2 Type 1, then upgrade to Type 2 after a 6-month window.
  4. If you sell into both markets — there are joint-audit programmes that get you ISO 27001 + SOC 2 in parallel; ask your auditor.

What you should not do

  • Don't download a privacy policy template and paste it on your site. Regulators look at actual practice vs. stated practice; mismatches cost more than no policy.
  • Don't start with ISO 27001 if no customer is asking for it. You'll spend a year and €50k on a piece of paper that doesn't close deals.
  • Don't do SOC 2 Type 2 before Type 1. Type 1 first forces you to fix gaps. Going straight to Type 2 means six months of observed failures.
  • Don't rely solely on your compliance platform. Vanta et al. are fantastic for evidence collection, but they don't replace security engineering judgement. A platform can give you a green dashboard with bad controls.

The bottom line

Pick the framework your customers demand, not the one that looks most impressive. GDPR underpins everything if you have any European presence — get that solid first. ISO 27001 and SOC 2 are commercial tools that close deals; don't pursue them without a deal motivating it.

If you'd like an honest assessment of which framework actually fits your situation — and roughly what it would cost — our team does this kind of gap analysis as a fixed-scope engagement. Often saves clients more than the engagement costs in avoided wrong turns.

Related Articles

Business Email Compromise: The Quiet Scam

Business Email Compromise: The Quiet Scam

Why most companies pay before anyone notices.

Read More
SPF, DKIM, DMARC Explained

SPF, DKIM, DMARC Explained

Email authentication for people who don't want to read RFCs.

Read More
The Vulnerability Classes Defining 2026

The Vulnerability Classes Defining 2026

What attackers are actually exploiting this year.

Read More