01
SOC 2
AICPA · Trust Services Criteria
Unblocks the procurement and vendor review process for almost every US deal.
Frameworks
The frameworks your buyers actually ask about.
Five standards. One operating model behind all of them.
02
ISO 27001
ISO/IEC · International ISMS
The default expectation in Europe and across much of APAC.
03
ISO 42001
ISO/IEC · AI management system
Increasingly the answer enterprise buyers want on AI governance.
04
NIST CSF 2.0
NIST · Cybersecurity framework
A common language for boards, insurers, and global teams.
05
NIST AI RMF
NIST · AI risk management
The practical baseline US buyers and regulators expect on AI risk.
Framework FAQ
What is SOC 2?
SOC 2 is an audit report defined by the American Institute of Certified Public Accountants (AICPA). It demonstrates that a service organization has controls in place against five Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. Most US enterprise buyers ask for it before signing.
What is the difference between SOC 2 Type I and Type II?
Type I tests whether controls are designed appropriately at a point in time. Type II tests whether those controls operate effectively across a period, typically 3 to 12 months. Most enterprise buyers eventually require Type II.
What is ISO 27001?
ISO/IEC 27001 is the international standard for an information security management system (ISMS). It is certifiable by accredited bodies through a Stage 1 (documentation) and Stage 2 (implementation) audit, followed by surveillance audits each year and full recertification every three years.
What is ISO 42001?
ISO/IEC 42001 is the first international standard for an artificial intelligence management system (AIMS). Published in 2023, it specifies how to develop, deploy, and govern AI responsibly across an organization. It is increasingly requested by enterprise buyers and regulators evaluating AI vendors.
What is NIST CSF 2.0?
The NIST Cybersecurity Framework 2.0 is a voluntary, outcome-based framework published by the US National Institute of Standards and Technology. The 2.0 update added Govern as a sixth top-level function alongside Identify, Protect, Detect, Respond, and Recover. It is not a certification — it is a maturity model.
What is the NIST AI Risk Management Framework?
NIST AI RMF is a voluntary framework for managing risks across the AI lifecycle: Govern, Map, Measure, and Manage. It is the practical baseline US enterprise buyers and US regulators most often reference when asking about AI risk practices. It is not a certification.
Should we get SOC 2 or ISO 27001 first?
It depends on where your deals are. If most of your enterprise pipeline is US-based, start with SOC 2. If you sell into Europe or APAC, ISO 27001 will move more deals. Many companies eventually carry both — the operating model behind them is largely shared, so the second is meaningfully cheaper than the first.
Which framework fits your buyers?
Tell us who is asking and what they need to see. We will sketch the sequence.
Talk to us