SEC-6 Tech Due Diligence

Tech Due Diligence SEC-6: Security Certifications and Compliance Framework

What This Control Requires

The assessor evaluates existing security certifications (SOC 2, ISO 27001), compliance programme maturity, audit history, and the organisation's readiness to meet customer and regulatory security requirements.

In Plain Language

Enterprise customers increasingly demand SOC 2 or ISO 27001 certification before they will sign a contract. Without these, your sales pipeline stalls at procurement. Beyond the commercial angle, certifications provide independent validation that your security programme actually works.

In a DD review, we look at which certifications you hold, their scope and recency, the maturity of your compliance programme (policies, control monitoring, evidence collection), how well you handle customer security questionnaires, and what your roadmap looks like for additional certifications if your target market requires them.

For B2B SaaS companies, missing SOC 2 or ISO 27001 is a tangible commercial risk. We evaluate not just your current certification status but also the realistic effort and timeline needed to achieve certification if you are not there yet.

How to Implement

Start by identifying which certifications your target market actually requires. SOC 2 Type II is the standard expectation for B2B SaaS companies selling to US enterprise customers. ISO 27001 is the international equivalent and is often required by European enterprises. Industry-specific certifications like HITRUST (healthcare) or PCI DSS (payment processing) may also be needed depending on your vertical.

If you are not yet certified, build a realistic roadmap. SOC 2 Type I can typically be achieved in 3-6 months. Type II requires an observation period of at least 3 months after Type I (6-12 months is recommended). ISO 27001 certification usually takes 6-12 months from commitment to completion.

Put a compliance programme in place that supports ongoing certification, not just initial achievement. You need a policy framework covering information security, access control, data protection, incident management, and business continuity. Map your controls to certification requirements, set up continuous monitoring with evidence collection, run regular internal audits, and consider a GRC platform to manage it all.

Build an efficient process for handling customer security questionnaires. Maintain a library of pre-approved responses, designate a responsible team, and track turnaround times. A public trust centre or security page that proactively shares your security posture can reduce inbound questionnaire volume significantly.

Stay audit-ready year-round. Collect evidence of control operation continuously, not in a scramble before the auditor arrives. Automated evidence collection makes this sustainable and ensures your evidence is continuous rather than point-in-time.

Track audit findings rigorously. Maintain a finding register with remediation owners and defined timelines. Close findings promptly. Recurring findings across consecutive audits signal systemic problems that need root-cause resolution, and DD reviewers notice this pattern immediately.

Evidence Your Auditor Will Request

Current security certifications and audit reports
Compliance programme documentation (policies, controls, monitoring)
Customer security questionnaire response process and samples
Certification roadmap (if not yet certified)
Audit finding register and remediation tracking

Common Mistakes

No security certifications despite serving enterprise customers
Certification achieved but compliance programme not maintained between audits
Audit findings not remediated; same issues appear in consecutive audits
Customer security questionnaires take weeks to complete, delaying sales
Compliance treated as a checkbox exercise rather than genuine security improvement

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.35	Related
SOC 2	CC1.1	Related

Frequently Asked Questions

SOC 2 or ISO 27001: which should we pursue first?

It depends on where your customers are. If you are primarily selling to US enterprise, go with SOC 2 first. If your customer base is significantly European or international, ISO 27001 is the better starting point. Most companies end up pursuing both eventually. SOC 2 is generally faster and less expensive to achieve initially.

How much does security certification cost?

Auditor fees typically run between $20K-$80K for SOC 2 and $15K-$50K for ISO 27001, depending on scope and complexity. The bigger cost is internal effort - expect 3-6 months of partial FTE time for initial certification. GRC tooling adds $10K-$50K per year. The return comes from shorter sales cycles with enterprise customers and reduced overall risk.

Track Tech Due Diligence compliance in one place

AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready.

Start Free Assessment