Question 1

What is SOC 2?

Accepted Answer

SOC 2 is an audit report (not a certification) issued by a licensed CPA firm validating your security controls. It's widely adopted in North America, particularly within the SaaS industry, and helps build trust with enterprise customers by demonstrating your commitment to data security and privacy.

Question 2

How long does SOC 2 take?

Accepted Answer

SOC 2 Type 2 takes 4.5-6 months total from kickoff to final report. This includes 6-8 weeks for implementation and a minimum 3-month observation period (industry standard for first-time reports). Your time investment is approximately 15-20 hours total.

Question 3

How much does SOC 2 cost?

Accepted Answer

SOC 2 costs approximately EUR 10,000-15,000 all-in for Year 1, including the compliance platform, audit coordination with independent auditor partners, penetration testing, and security tools. This investment typically pays for itself with one enterprise deal worth EUR 50,000-200,000+ ARR.

Question 4

What is the difference between SOC 2 Type 1 and Type 2?

Accepted Answer

Type 1 is a point-in-time assessment that proves controls exist at a specific date, while Type 2 evaluates controls over an observation period (minimum 3 months for first-time reports) to validate they work consistently. Enterprise customers expect Type 2. Type 1 is rarely accepted as sufficient. We recommend going straight to Type 2.

Question 5

What are the SOC 2 Trust Services Criteria?

Accepted Answer

SOC 2 evaluates organizations against five Trust Services Criteria: Security (required), Availability (for SLAs), Privacy (for PII), Processing Integrity (for financial transactions), and Confidentiality (for trade secrets). Most SaaS companies need Security + Availability.

Question 6

Who needs SOC 2?

Accepted Answer

SaaS companies selling to enterprises, especially those with 500+ employees, typically need SOC 2. Start now if enterprise customers are requesting it, you're losing deals to compliant competitors, or security questionnaires consume 5+ hours per prospect.

Question 7

Can I speed up the SOC 2 timeline?

Accepted Answer

You can accelerate the implementation phase from 8 weeks to 6 weeks, but the minimum 3-month observation period for first-time Type 2 reports is industry standard and cannot be shortened. Plan to start 5 months before you need the report.

Question 8

Does SOC 2 eliminate security questionnaires?

Accepted Answer

No, you'll still receive security questionnaires, but your report proves your answers aren't just marketing claims. Expect a 50-70% reduction in effort, not 100% elimination. A third-party auditor has validated your security controls.

Question 9

Does my cloud provider's SOC 2 cover my company?

Accepted Answer

No. AWS, GCP, or Azure SOC 2 reports cover their infrastructure, not your application. You still need your own SOC 2 report that demonstrates your security controls on top of their infrastructure.

Question 10

How long is a SOC 2 report valid?

Accepted Answer

Technically forever, but practically 12 months. Customers expect an annual report, and after 12 months your report is considered stale. You'll need to renew annually to maintain credibility.

Question 11

Does SOC 2 require penetration testing?

Accepted Answer

Penetration testing is not strictly required by AICPA standards, but it's strongly recommended and expected by most enterprise customers. Security questionnaires typically ask for pen test results regardless of your SOC 2 status, making it a practical necessity.

Question 12

Is SOC 2 a certification?

Accepted Answer

No, SOC 2 is an attestation, not a certification. A CPA firm examines your controls and issues a report stating whether your controls meet the Trust Services Criteria. Unlike ISO 27001, there's no certificate to display.

Question 13

Can I do SOC 2 without a compliance platform?

Accepted Answer

Yes, but it adds 200+ hours of manual work for evidence collection, policy writing, and control tracking. A compliance platform automates evidence collection, provides policy templates, and streamlines the audit process significantly.

Question 14

What is ISO 27001?

Accepted Answer

ISO 27001 is an international certification for information security management systems (ISMS), issued by accredited certification bodies. Unlike SOC 2 (which is a report), ISO 27001 gives you an actual certificate you can display. It's recognized globally and often required for European and government contracts.

Question 15

How long does ISO 27001 certification take?

Accepted Answer

ISO 27001 takes 3-4 months, faster than SOC 2 because there's no mandatory observation period. This includes 4-6 weeks for implementation, 1 week for internal audit, and 2-3 weeks for Stage 1 and Stage 2 audits.

Question 16

How much does ISO 27001 cost?

Accepted Answer

Overall pricing depends on scope, company size, and technical setup. Bastion reduces implementation time and overall costs by combining a GRC platform, dedicated security engineer, built-in security tooling, and audit coordination.

Question 17

What is an ISMS?

Accepted Answer

An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information. It includes people, processes, and technology, organized around risk management. ISO 27001 provides the framework for building and maintaining an ISMS.

Question 18

What is the difference between ISO 27001 and SOC 2?

Accepted Answer

ISO 27001 is designed for any organization and focuses on processes and documentation, while SOC 2 is designed for SaaS and cloud services with emphasis on technical controls. ISO 27001 produces a 3-year certificate; SOC 2 produces an annual audit report.

Question 19

When should I choose ISO 27001 over SOC 2?

Accepted Answer

Choose ISO 27001 when you have public sector clients (government often requires it), French/EU enterprises where ISO has marketing value, highly regulated industries like banks or insurance, or HDS requirements. SOC 2 is generally better for SaaS companies with tech-savvy buyers.

Question 20

Who needs ISO 27001?

Accepted Answer

Organizations with international customers, European or Asian B2B clients, government contracts, or highly regulated industries typically need ISO 27001. French enterprises particularly value ISO 27001 for marketing and procurement requirements.

Question 21

How long is ISO 27001 certification valid?

Accepted Answer

ISO 27001 follows a 3-year cycle: Initial certification in Year 1, surveillance audits in Years 2-3, and full recertification in Year 4. Years 2-3 are lighter (3-5 hours vs 15 hours initial effort).

Question 22

Does ISO 27001 require penetration testing?

Accepted Answer

Control A.8.8 (Technical Vulnerability Management) requires identifying and addressing technical vulnerabilities, which can be satisfied through penetration testing or vulnerability scanning. Most auditors and customers expect pen testing for comprehensive assurance, making it a practical requirement.

Question 23

What are the ISO 27001 Annex A controls?

Accepted Answer

Annex A contains 93 controls across 4 domains: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). You select applicable controls based on your risk assessment.

Question 24

What happens if I drop ISO 27001 certification?

Accepted Answer

Unlike SOC 2 reports which simply expire, ISO certifications are tracked in public registries. If you drop ISO, it appears as 'lost certification' and clients can see you dropped it. Only start ISO 27001 if you're committed to maintaining it long-term.

Question 25

Can startups get ISO 27001 certified?

Accepted Answer

Yes, startups often achieve certification faster than larger companies due to less legacy infrastructure and simpler processes. Companies with 5-10 employees regularly achieve ISO 27001 certification.

Question 26

What is GDPR?

Accepted Answer

GDPR (General Data Protection Regulation) is the EU's comprehensive data protection law effective since May 25, 2018. It governs how organizations process personal data of EU residents, regardless of where the company is located. Maximum fines are EUR 20 million or 4% of global annual revenue.

Question 27

Does GDPR apply outside Europe?

Accepted Answer

Yes, if you collect data from EU residents (even through a website), GDPR applies regardless of your company location. GDPR has extraterritorial scope, meaning it's based on whose data you process, not where your company is headquartered.

Question 28

What is personal data under GDPR?

Accepted Answer

Personal data is any information that can identify a living individual, directly or indirectly. This includes names, email addresses, IP addresses, cookie IDs, location data, financial data, behavioral data, and biometric data. Even pseudonymized data qualifies if it can be traced back to an individual.

Question 29

What is the difference between a data controller and processor?

Accepted Answer

A Data Controller determines why and how data is processed (that's you if you collect customer data). A Data Processor processes data on behalf of a controller (like your CRM provider). Controllers are responsible for compliance; processors must follow controller instructions and have a Data Processing Agreement.

Question 30

What are the data subject rights under GDPR?

Accepted Answer

GDPR grants 8 rights: Right to be Informed, Right of Access (DSAR), Right to Rectification, Right to Erasure ('right to be forgotten'), Right to Restrict Processing, Right to Data Portability, Right to Object, and Rights Related to Automated Decision-Making.

Question 31

How long do I have to respond to a data subject request?

Accepted Answer

You must respond within one month for standard requests (Article 12). Complex requests can be extended by two additional months (up to three months total), but you must notify the requester within the first month. The first request must be free; you can charge for excessive or repetitive requests.

Question 32

Is consent always required under GDPR?

Accepted Answer

No, consent is one of six legal bases for processing data. Others include contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Legitimate interests or contractual necessity may be more appropriate than consent for many B2B uses.

Question 33

What are the GDPR fines?

Accepted Answer

Maximum penalties are EUR 20 million or 4% of global annual revenue, whichever is higher. Beyond fines, GDPR non-compliance affects customer trust, investor expectations, and enterprise sales opportunities.

Question 34

Do I need a Data Protection Officer (DPO)?

Accepted Answer

A DPO is required under Article 37 for public authorities, organizations whose core activities involve large-scale regular monitoring of individuals, or those whose core activities involve large-scale processing of special categories of data. Most B2B SaaS companies don't legally require a DPO but may appoint one voluntarily.

Question 35

What is a Data Processing Agreement (DPA)?

Accepted Answer

A DPA is a legally binding contract between a data controller and processor. It defines data processing purposes, security measures, subprocessor rules, and audit rights. GDPR Article 28 requires DPAs whenever you share personal data with processors.

Question 36

What is Cyber Essentials?

Accepted Answer

Cyber Essentials is a UK government-backed cybersecurity certification scheme that helps organizations protect against common cyber threats. It covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management.

Question 37

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Accepted Answer

Cyber Essentials is a self-assessment questionnaire verified by an assessor. Cyber Essentials Plus includes everything from the basic certification plus hands-on technical testing by a qualified assessor who verifies your controls are working correctly.

Question 38

How long does Cyber Essentials certification take?

Accepted Answer

Cyber Essentials basic can be completed in 1-2 weeks if your security controls are already in place. Cyber Essentials Plus takes 2-4 weeks and includes scheduling the technical assessment. If remediation is needed, add 2-4 weeks.

Question 39

How much does Cyber Essentials cost?

Accepted Answer

Cyber Essentials basic certification fees are tiered by organization size, starting from around GBP 350 for micro organizations. Cyber Essentials Plus costs GBP 1,500-3,000+ depending on your organization's size and the scope of the technical assessment, plus any remediation work.

Question 40

Who needs Cyber Essentials?

Accepted Answer

Cyber Essentials is required for UK government contracts involving handling sensitive or personal information. It's also valuable for any organization wanting to demonstrate basic cybersecurity hygiene to customers, particularly in the UK market.

Question 41

What are the five technical controls in Cyber Essentials?

Accepted Answer

The five controls are: 1) Firewalls, 2) Secure configuration, 3) User access control, 4) Malware protection, and 5) Security update management. According to NCSC, implementing these controls helps protect against the majority of common cyber attacks.

Question 42

How long is Cyber Essentials certification valid?

Accepted Answer

Cyber Essentials certification is valid for 12 months from the date of issue. You must recertify annually to maintain your certification status and continue bidding on government contracts that require it.

Question 43

Can non-UK companies get Cyber Essentials?

Accepted Answer

Yes, any organization can get Cyber Essentials certified regardless of location. This is useful for companies outside the UK that want to demonstrate security standards to UK customers or bid on UK government contracts.

Question 44

What is ISO 42001?

Accepted Answer

ISO 42001 is the world's first international standard for AI Management Systems (AIMS). It provides a framework for organizations to responsibly develop, provide, or use AI systems while managing associated risks and demonstrating trustworthy AI practices.

Question 45

Who needs ISO 42001 certification?

Accepted Answer

Organizations that develop, deploy, or use AI systems should consider ISO 42001. This includes AI providers, companies integrating AI into products, and enterprises using AI for decision-making. It's particularly relevant for high-risk AI applications.

Question 46

What is the relationship between ISO 42001 and the EU AI Act?

Accepted Answer

ISO 42001 provides a management system framework that helps organizations comply with the EU AI Act requirements. While not a direct compliance pathway, implementing ISO 42001 demonstrates systematic AI governance and supports regulatory alignment.

Question 47

What is an AI Management System (AIMS)?

Accepted Answer

An AIMS is a set of interrelated elements (policies, procedures, processes, resources) that organizations use to achieve AI-related objectives. It covers the full AI lifecycle from design and development through deployment and monitoring.

Question 48

How long does ISO 42001 certification take?

Accepted Answer

ISO 42001 certification typically takes 4-8 months depending on organizational readiness and existing management systems. Organizations with ISO 27001 already in place can leverage overlapping controls to accelerate implementation.

Question 49

What is the difference between AI providers and AI deployers?

Accepted Answer

AI providers develop and supply AI systems (like OpenAI or Google). AI deployers are organizations that use AI systems in their products or operations (like a company using ChatGPT for customer service). Both have different responsibilities under ISO 42001.

Question 50

Can ISO 42001 be integrated with ISO 27001?

Accepted Answer

Yes, ISO 42001 uses the same high-level structure (Harmonized Structure) as ISO 27001, making integration straightforward. Organizations can implement an integrated management system covering both information security and AI governance.

Question 51

What do ISO 42001 Annex A and Annex B cover?

Accepted Answer

Annex A contains AI-specific controls organized across domains including AI system impact assessment, data management, and AI system lifecycle. Annex B provides guidance on AI-specific risk sources and impacts, helping organizations identify and evaluate risks associated with their AI systems.

Question 52

What is NIS 2?

Accepted Answer

NIS 2 (Network and Information Security Directive 2) is an EU directive establishing cybersecurity requirements for essential and important entities across critical sectors. It expands the original NIS Directive's scope and strengthens security obligations.

Question 53

Who must comply with NIS 2?

Accepted Answer

NIS 2 applies to medium and large organizations (50+ employees or EUR 10M+ revenue) in 18 sectors including energy, transport, banking, health, digital infrastructure, and ICT service management. Member states may also include smaller critical entities.

Question 54

What is the difference between essential and important entities?

Accepted Answer

Essential entities are in highly critical sectors (energy, transport, banking, health, water, digital infrastructure, space) and face stricter supervision. Important entities are in other critical sectors and have more reactive oversight based on evidence of non-compliance.

Question 55

What are the NIS 2 penalties?

Accepted Answer

Essential entities face fines up to EUR 10 million or 2% of global annual turnover. Important entities face fines up to EUR 7 million or 1.4% of turnover. Management can face personal liability, though specific provisions vary by member state implementation.

Question 56

When does NIS 2 come into force?

Accepted Answer

NIS 2 entered into force on January 16, 2023, and EU member states had until October 17, 2024 to transpose it into national law. Organizations in scope should already be implementing required measures.

Question 57

How does NIS 2 relate to ISO 27001?

Accepted Answer

ISO 27001 certification helps demonstrate NIS 2 compliance but doesn't guarantee it automatically. NIS 2 has specific requirements for incident reporting and supply chain security that may go beyond standard ISO 27001 scope.

Question 58

What are the NIS 2 incident reporting requirements?

Accepted Answer

NIS 2 requires early warning within 24 hours of becoming aware of a significant incident, a full notification within 72 hours, and a final report within one month. For incidents affecting service provision, immediate notification may be required.

Question 59

Does NIS 2 apply to non-EU companies?

Accepted Answer

NIS 2 applies to non-EU companies if they provide services within the EU in covered sectors. Non-EU entities meeting the criteria must designate an EU representative in one of the member states where they offer services.

Question 60

What is PCI DSS?

Accepted Answer

PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for organizations that handle credit card data. It's mandated by card brands (Visa, Mastercard, etc.) to protect cardholder data and reduce fraud.

Question 61

Who needs PCI DSS compliance?

Accepted Answer

Any organization that stores, processes, or transmits credit card data needs PCI DSS compliance. This includes merchants, payment processors, banks, and service providers. Even if you use a payment processor, you may still have PCI DSS obligations.

Question 62

What are the PCI DSS compliance levels?

Accepted Answer

PCI DSS has four merchant levels based on annual transaction volume: Level 1 (6M+ transactions), Level 2 (1-6M), Level 3 (20K-1M e-commerce), and Level 4 (under 20K e-commerce or under 1M total). Higher levels require more rigorous assessments.

Question 63

What is the difference between SAQ and ROC?

Accepted Answer

A Self-Assessment Questionnaire (SAQ) is a self-evaluation for smaller merchants (typically Levels 2-4). A Report on Compliance (ROC) is required for Level 1 merchants and service providers, requiring assessment by a Qualified Security Assessor (QSA).

Question 64

How much does PCI DSS compliance cost?

Accepted Answer

Costs vary by compliance level: SAQ-based compliance for small merchants can cost EUR 1,000-10,000 annually. Level 1 ROC assessments cost EUR 30,000-100,000+ depending on complexity. Ongoing security controls add additional costs.

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company

Frequently Asked Questions

Want to dive deeper?

SOC 2

ISO 27001

GDPR

Cyber Essentials

ISO 42001

NIS 2

Other platforms check the box

We secure the box