What Comes After SOC 2? ISO 27001 vs. ISO 42001 (and How to Choose)

SOC 2 is the most common starting point for a company's security and compliance program. But for a fast-growing company, it rarely ends there. 

Sooner or later, you’ll expand outside of North America and a customer will ask about ISO 27001, or your AI roadmap will pull ISO 42001 into scope. And the first question we usually hear is how much of our SOC 2 work will carry over? 

SOC 2 gives you a good start on ISO 27001, where roughly 80% of the controls carry over, whereas ISO 42001 requires starting from an almost blank slate as it covers your AI governance and SOC 2 governs your security.

In this guide, we’ll share everything you need to know about whether to pursue ISO 27001 or ISO 42001 after you’ve completed your SOC 2 attestation. 

What Does Each Framework Govern, and What Carries Over From SOC 2?

Here’s a breakdown of what each framework governs, what carries over, and when to pursue it:

ISO 27001: For Selling Outside North America

If you plan to start selling outside of North America, ISO 27001 makes sense as it's the recognized standard and SOC 2 carries less weight overseas.

The move from SOC 2 to ISO 27001 is mostly familiar work. ISO 27001's Annex A has 93 controls and most are safeguards already covered by SOC 2, just under different labels. Things like access reviews, encryption policy, and incident response, map straight across.

Where the SOC 2 and ISO 27001 frameworks differ significantly is the management system ISO 27001 wraps around those controls.

A SOC 2 report is an attestation of how your controls are designed (Type I) and how they operate over a period of time (Type II). Whereas ISO 27001 also focuses on the system behind those controls, covering how they’re chosen, maintained, reviewed, and improved through an ISMS (Information Security Management System).

So if you're adding ISO 27001 to your existing SOC 2, you'll need to add roughly 15 to 20 net-new Annex A controls, plus the ISMS built around controls.

You can usually keep your auditor too. Most SOC 2 (CPA) firms are also accredited to certify ISO 27001, so it is often the same relationship rather than a new search.

ISO 42001: For Building With AI

If you're building with AI and want to show strong AI governance to enterprise buyers, ISO 42001 could make sense.

But SOC 2 doesn't really give you head start here. ISO 42001 covers areas like AI system impact assessments, data provenance, AI lifecycle documentation, and responsible-use processes, which aren't a part of SOC 2.

The structural work you've done to achieve SOC 2 can still help though. The habits picked up and experience you gained internally by collecting evidence and writing policies for SOC 2 will have built internal muscle memory you can apply to any framework. With ISO 42001, you’re adding AI-specific policies to a process you already know how to operate rather than building it from scratch. If you have ISO 27001 too, more transfers as 42001 reuses the same management-system backbone.

The timing argument is the one I'd weigh heavily here too. AI governance right now looks a lot like SOC 2 did five or six years ago. The companies that moved early used it to win deals. The ones that waited did it reactively, once it had become table stakes and stopped working as a differentiator. AI governance is heading the same way, only faster.

How Do You Choose Your Next Framework After SOC 2?

There's no one-size-fits-all answer to which framework you should pursue after SOC 2. The direction of audit generally depends on where your business is now and where you want to take it next.

If you're an AI-native organization selling to mid-market and enterprise customers, more and more AI questions will start coming in during security reviews and procurement. ISO 42001 is a great way to get ahead of those questions and show third-party proof you govern AI responsibly.

If your plans lean more toward international expansion, ISO 27001 makes sense because outside of North America, ISO 27001 can open doors that SOC 2 may not. And if you want to tackle ISO 27001 alongside 42001, some auditors are now combining the audits meaning you can gain efficiency by turning two projects into one. 

As a general rule of thumb we see companies fit into one of three buckets when it comes to what comes after SOC 2:

• Building AI into your product and selling to mid-market or enterprise: Pursue ISO 42001. AI governance is already starting to come up in security reviews and procurement and ISO 42001 offers third-party attestation to your AI practices.
• Expanding outside North America: ISO 27001 can open doors overseas that SOC 2 doesn't and and roughly 80% of your existing controls carry across.
• Neither yet, meaning North America–focused with no AI in the product: Stay on SOC 2. You don't always have to be chasing the next framework and it's perfectly fine to continue to focus on SOC 2 and improving your security posture without pursuing something new.

The workload required for both frameworks differs as much as the reasons why you'd pursue one over the other. SOC 2 and ISO 27001 cover a lot of the same controls, so ISO 27001 only requires 15-20 new controls and the implementation of the ISMS built around the controls. ISO 42001 checks something different (AI governance), so it is closer to net-new work.

At Workstreet, we help fast-growing businesses build security programs that where you are now and where you're going. If you have SOC 2 in place, we can help you pick the best next move whether it's ISO 27001, ISO 42001, or something else entirely.

If you're planning your next steps, book a call with our team here, or hit reply and I can help you figure out which framework makes sense next and the order to tackle them in.