BlogCompliance
December 11, 2023

How CrowdComms and Henchman use ISO 27001 and SOC 2 together

Written by
Herman Errico
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

If you’re a growing start up, chances are you’ll need to demonstrate trust to your customers. To ensure you have strong data protection measures in place and a robust security posture, they’ll often ask to review either your ISO 27001 certification or your SOC 2 report. For a while, you may get by by filling out their lengthy security questionnaires, but eventually you’ll need to get your ISO 27001 or SOC 2, depending on your product, industry, and region.

This is where you may be asking yourself a few questions: Where do I start? Do I need one of these frameworks or both?

I recently spoke to two Vanta customers — Donna Fielding, Information Security Manager from CrowdComms and Louis Opsomer, Head of Finance and Operations at Henchman — to understand their process of attaining these two frameworks and to see how they use ISO 27001 and SOC 2 together.

ISO 27001 vs. SOC 2

Established by the International Electrotechnical Commission and the International Organization for Standardization (ISO), ISO 27001 helps organizations protect their information through the adoption of an information security management system (ISMS). It helps businesses organize their people, processes, and technology and was designed to ensure the confidentiality, integrity of information, and availability. Following an audit, your organization would get a certification that attests to your security. 

The SOC 2 standard was created by the American Institute of CPAs (AICPA) and provides a framework for ensuring companies securely manage customer data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Following an audit, an organization will get a SOC 2 report which assures your customers, prospects, and business partners that services are reliable and trustworthy. SOC 2 is most common in North America.

Differences between SOC 2 and ISO 27001.

How Henchman and CrowdComms use ISO 27001 and SOC 2

Henchmen is an AI-powered legal contract drafting company based in Belgium. The company’s initial sales happened in Belgium and quickly expanded across Europe. Since ISO 27001 is commonplace in Europe, Henchman got their ISO 27001 certification first during their expansion in this region. 

Eventually the product evolved and Henchman was ready to take on the US market. Louis knew that expansion into the US would require the business to obtain a SOC 2 report. “We’d already laid the foundation of our information security framework with ISO 27001 and that helped us speed up the process of getting a SOC 2 report,” Louis says. 

CrowdComms is an end-to-end event tech company based in the UK with a similar journey. Given the company’s base in the UK, CrowdComms’ initial customers were looking for ISO 27001 compliance. As the business expanded into the US, many of the supplier contracts the team received stated that they would need to obtain and maintain a SOC 2 in order to be onboarded as a vendor. "Our clients wanted us to have a robust security platform,” Donna says, “To do this, and to show our clients that we were taking security seriously we decided to look into getting a SOC 2."

CrowdComms first got its SOC 2 Type 1 to show evidence of the necessary controls and eventually got a SOC 2 Type 2 report. “We saw this as a way of speeding up the onboarding sales process too and helping our team get through security questionnaires from our suppliers,” Donna says, “Having that SOC 2 just opened those doors to us that we never had before." 

Why ISO 27001 and SOC 2 are better together

While these two frameworks have their differences, they also have a lot in common. 

Both guide you toward implementing crucial best practices for your information security so your data (and your customers’ data) stays safe. The protocols for both ISO 27001 and SOC 2 are designed to help you document your security controls and practices. Both require you to undergo an external audit. And several of the security controls listed in these frameworks overlap. If you’re pursuing both an ISO 27001 and a SOC 2 at the same time and your audit windows align, it’s possible to work with the same auditor.

“These two standards elevate each other,” Louis says. Since ISO 27001 is framework-focused and SOC 2 is about ensuring the processes and standards your business builds are being adhered to, these frameworks can complement each other well. “On one hand you’re developing a good framework that serves as a basis with ISO 27001, while SOC 2 is keeping you accountable for what you actually built.” 

Donna agrees, “There is very much an overlap between the two standards, especially some of the processes and policies that they both have in place.” Donna says that in her experience, it’s been easier to implement SOC 2 after obtaining ISO 27001 compliance given the foundational approach of ISO 27001. 

Accelerated compliance with Vanta

Since these two standards have several overlapping requirements and controls, you can easily get compliant in both, especially with the help of a compliance automation tool like Vanta. Louis says that Vanta made it easy for the team to replicate the controls they already had in place for ISO 27001 that could be used for SOC 2. “It actually allows you to make speed on that second standard.”

Donna says Vanta helped CrowdComms easily provide evidence for its SOC 2 audit using the same evidence the team used for ISO 27001. “I wasn’t having to duplicate work. I could use the same things when I used the Vanta tool,” Donna says. During her SOC 2 process, she was able to get all the information, upload it to Vanta, and provide evidence quickly and easily.

By repurposing the controls and evidence across both frameworks, it can also save your business time and money. "Having Vanta saved me time and allowed me to get to the basics of what an ISO framework meant through Vanta,” Louis says, “It saved me a bunch of time. The combination of doing the work and the audit in Vanta speeds up the process and allows me to spend time on other things.”

The reality is that you’ll likely need both SOC 2 and ISO 27001 once your business reaches product maturity. If you’re not there yet, you’ll need to decide which one is a bigger priority depending on the needs of your clients — some organizations want you to have both standards as they cover different aspects of your security posture — and get the other further down the road. 

At Vanta, we advise our customers to understand their industry and their client and product needs before deciding which frameworks to move forward with. Our team is always available to have that detailed discussion.

To hear more from our customers about how ISO 27001 and SOC 2 can work together, watch the webinar recording. If you’re ready to start automating your compliance, request a demo.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

Compliance
Events

How to streamline SOC 2 and ISO 27001 compliance with automation

Watch Vanta’s 45-minute live product demo. Our Vanta team will walk you through the platform and answer questions throughout the session.

Compliance
Events

How to Automate ISO 27001 & SOC 2 Compliance

Join Vanta’s 45-minute live product demo on 16 May at 1pm AEST. Two of our team members will walk you through the platform and answer questions throughout the session.

Compliance
Events

How to automate ISO 27001 & SOC 2 compliance

Join Vanta’s 45-minute live product demo on 25 April at 11 am BST. Two of our team members will walk you through the platform and answer questions throughout the session.

Compliance
Events

Automating your existing compliance program

With Vanta, you get enough flexibility to choose between a wealth of pre-built content and the ability to customize and configure the product to match your program’s needs. Curious to see this in action?

Related Resources

A book with the word FedRAMP on it.
Compliance
Guide / Report
The ultimate guide to FedRAMP: A requirements guide for authorization

Learn about FedRAMP authorization, from impact levels to compliance steps, to unlock opportunities with U.S. federal agencies.

Compliance
Blog
IT compliance audit checklist: 7 steps to follow

Discover the frameworks relevant for IT audits, the main compliance areas, and a checklist to support your team.

Compliance
Blog
4 ways to scale compliance with AI

Discover how Vanta AI helps modern GRC teams scale compliance efficiently while staying audit-ready.

Compliance
Blog
Cybersecurity laws and regulations in the UK: Your guide for 2025

Explore the cybersecurity compliance landscape in the UK and get quick insights into relevant local laws and regulations, as well as cross-border compliances.

Compliance
Events
Secure from the Start: How Founders Build Compliance Into Early-Stage Growth

Hear from the Head of Information Security at Robin AI and the Co-Founder & CEO of Pavlov as they share how they embedded security and compliance into their startup journey, without slowing down innovation.

Compliance
Events
Building Trust in the AI Boom: Security, Capital, and Credibility from Day One

Join the CFOs of Vanta and Mercury for a tactical conversation on how early-stage teams can build trust with investors and buyers, without slowing down.

Compliance
Events
Live Demo: Accelerate security and compliance workflows with AI

Join us for a live demo where we’ll walk you through the AI functionality within the Vanta platform and how it can simplify your compliance process. Plus, you’ll have the opportunity to ask live questions—whether it’s about AI specifically, compliance, or how to get started with Vanta.

Compliance
Blog
5 healthcare cybersecurity regulations and frameworks to follow in 2025

Discover five key healthcare cybersecurity regulations and frameworks that protect patient data. Get insights into their requirements, benefits, and overlaps.

Compliance
Blog
SOC 2 for healthcare organizations: Benefits and compliance steps

Read our guide to SOC 2 for healthcare to see if the standard can help you comply with HIPAA.

Illustration of a compliance dashboard displaying certification badges
Compliance
Blog
110 security and compliance statistics for tech leaders to know in 2025

We’ve compiled 110 essential security and compliance statistics that highlight trends in 2025.

Compliance
Blog
Your complete guide to compliance management software

Learn everything you should know about compliance management software in our guide.

Compliance
Blog
CPS 234 vs. ISO 27001: Differences and overlaps

Go through our comparison of CPS 234 and ISO 27001. Find out where the standards overlap, what makes them different, and which one you should prioritise.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products