Tech Due Diligence SEC-6: Security Certifications and Compliance Framework
This control is 1 of 40 in Tech Due Diligence. Get the full checklist as a free interactive assessment with a scored gap report.
What This Control Requires
The assessor evaluates existing security certifications (SOC 2, ISO 27001), compliance programme maturity, audit history, and the organisation's readiness to meet customer and regulatory security requirements.
In Plain Language
Enterprise customers increasingly demand SOC 2 or ISO 27001 certification before they will sign a contract. Without these, your sales pipeline stalls at procurement. Beyond the commercial angle, certifications provide independent validation that your security programme actually works.
In a DD review, we look at which certifications you hold, their scope and recency, the maturity of your compliance programme (policies, control monitoring, evidence collection), how well you handle customer security questionnaires, and what your roadmap looks like for additional certifications if your target market requires them.
For B2B SaaS companies, missing SOC 2 or ISO 27001 is a tangible commercial risk. We evaluate not just your current certification status but also the realistic effort and timeline needed to achieve certification if you are not there yet.
How to Implement
Start by identifying which certifications your target market actually requires. SOC 2 Type II is the standard expectation for B2B SaaS companies selling to US enterprise customers. ISO 27001 is the international equivalent and is often required by European enterprises. Industry-specific certifications like HITRUST (healthcare) or PCI DSS (payment processing) may also be needed depending on your vertical.
If you are not yet certified, build a realistic roadmap. SOC 2 Type I can typically be achieved in 3-6 months. Type II requires an observation period of at least 3 months after Type I (6-12 months is recommended). ISO 27001 certification usually takes 6-12 months from commitment to completion.
Put a compliance programme in place that supports ongoing certification, not just initial achievement. You need a policy framework covering information security, access control, data protection, incident management, and business continuity. Map your controls to certification requirements, set up continuous monitoring with evidence collection, run regular internal audits, and consider a GRC platform to manage it all.
Build an efficient process for handling customer security questionnaires. Maintain a library of pre-approved responses, designate a responsible team, and track turnaround times. A public trust centre or security page that proactively shares your security posture can reduce inbound questionnaire volume significantly.
Stay audit-ready year-round. Collect evidence of control operation continuously, not in a scramble before the auditor arrives. Automated evidence collection makes this sustainable and ensures your evidence is continuous rather than point-in-time.
Track audit findings rigorously. Maintain a finding register with remediation owners and defined timelines. Close findings promptly. Recurring findings across consecutive audits signal systemic problems that need root-cause resolution, and DD reviewers notice this pattern immediately.
Evidence Your Auditor Will Request
- Current security certifications and audit reports
- Compliance programme documentation (policies, controls, monitoring)
- Customer security questionnaire response process and samples
- Certification roadmap (if not yet certified)
- Audit finding register and remediation tracking
Common Mistakes
- No security certifications despite serving enterprise customers
- Certification achieved but compliance programme not maintained between audits
- Audit findings not remediated; same issues appear in consecutive audits
- Customer security questionnaires take weeks to complete, delaying sales
- Compliance treated as a checkbox exercise rather than genuine security improvement
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| ISO 27001 | ISO 27001 A.5.35: Independent review of information security | Related |
| SOC 2 | SOC 2 CC1.1: COSO Principle 1: Demonstrates Commitment to Integrity and Ethical Values | Related |
Frequently Asked Questions
SOC 2 or ISO 27001: which should we pursue first?
How much does security certification cost?
Related Articles
Preparing for Technical Due Diligence: A Startup Founder's Guide
A practical guide for startup founders preparing for technical due diligence - what investors look at, red flags that kill deals, and how to prepare.
Read article →How to Get ISO 27001 Certified: A Step-by-Step Guide
A practical walkthrough of the ISO 27001 certification process - from scoping to stage 2 audit. Covers timelines, costs, common mistakes, and what auditors actually look for.
Read article →The True Cost of Compliance: DIY vs Consultant vs Platform (2026)
A realistic comparison of three compliance approaches - DIY spreadsheets, hiring a consultant, or using a platform - with costs, timelines, and tradeoffs.
Read article →Track Tech Due Diligence compliance in one place
AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready. The full Tech Due Diligence checklist is included on the Free plan.
Start Free AssessmentFree plan · No credit card required