Cybersecurity Sales Compliance: SOC 2, ISO 27001, FedRAMP

Direct answer. Cybersecurity sales compliance is the practice of using recognized security certifications — SOC 2 Type II, ISO 27001, FedRAMP, and HITRUST CSF — as gating evidence that lets a buyer\'s security and procurement teams approve a vendor. SOC 2 Type II is table stakes for North American SaaS buyers. ISO 27001 is required by most EU and UK enterprises. FedRAMP is mandatory for US federal sales. HITRUST is the high bar in large healthcare. Reps who know which framework the buyer requires before the first call shorten cycles by 30 to 50%.

Why compliance gates cybersecurity deals

Every enterprise cybersecurity purchase passes through a security review. The review is not a discovery exercise — it is a gate. The buyer\'s security and procurement teams use it to decide whether a vendor is permitted to handle the buyer\'s data, integrate with the buyer\'s stack, or appear on the approved vendor list. The criteria that pass or fail a vendor at that gate are almost always anchored to recognized compliance frameworks.

The four frameworks that govern almost all cybersecurity vendor purchases in 2026 are SOC 2 Type II, ISO 27001, FedRAMP, and HITRUST CSF. Each was designed for a specific buyer segment. Each has a different cost, timeline, and evidence package. Reps who treat all four as interchangeable lose deals to vendors who lead with the right one. This guide is the spoke companion to the broader pillar on cybersecurity sales — it focuses narrowly on which framework a buyer requires, what each one covers, and how to provide evidence without over-sharing.

The cost of being wrong is measurable. According to the IBM Cost of a Data Breach Report 2024, the global average breach cost reached $4.88 million, and organizations operating under regulatory non-compliance saw an additional $238,000 in breach costs on average. Buyers translate those numbers directly into vendor selection criteria. A vendor without the right certification at the right buyer is not just disadvantaged — they are usually disqualified before the technical evaluation begins.

Gartner research on third-party risk management notes that 60% of organizations now work with more than 1,000 third parties, and security questionnaires have become the primary throughput bottleneck in procurement. Reps who arrive at the discovery call with the right framework already in hand cut weeks from the review. Reps who arrive with the wrong framework restart the evaluation from zero. For the broader cycle context where these gates fit, see the related cybersecurity sales cycle guide.

The four frameworks at a glance

Sources: AICPA SOC 2 audit benchmarks; ISO/IEC official certification cost data; FedRAMP PMO published timelines; HITRUST Alliance assessment data, 2025–2026.

SOC 2 Type II: the table-stakes baseline

SOC 2 is an attestation standard developed by the American Institute of Certified Public Accountants (AICPA). It is the most widely requested security certification in North American B2B SaaS sales. Almost every mid-market and enterprise security questionnaire originating from a US or Canadian buyer asks for a SOC 2 Type II report inside the first ten questions.

SOC 2 covers five Trust Service Criteria: Security (the only mandatory one), Availability, Processing Integrity, Confidentiality, and Privacy. A vendor selects which criteria are in scope. Most B2B SaaS vendors include Security plus Availability and Confidentiality. Vendors handling personal data add Privacy. Vendors with transactional workloads add Processing Integrity.

Type I versus Type II

SOC 2 Type I attests that controls are designed correctly at a point in time. Type II attests that those controls operated effectively across a 6 to 12 month observation window. Enterprise buyers almost never accept Type I as the final artifact. Type I is acceptable as an interim signal during the first audit window and is sometimes used to keep deals moving while the Type II observation period runs.

Cost and timeline

A full SOC 2 Type II audit cycle costs $20,000 to $60,000 including readiness assessment, evidence collection tooling, and the auditor fee. The largest cost driver is the time of internal engineering and security staff during evidence collection. Most vendors complete their first Type I in 3 to 4 months, then run a 6 month Type II observation window followed by a 4 to 8 week audit. A repeating annual Type II audit is the steady state.

Verticals where SOC 2 Type II is non-negotiable: B2B SaaS, payments, fintech (alongside additional PCI requirements), HR tech, sales tech, and developer infrastructure. For fintech-specific compliance gates beyond SOC 2, see the fintech sales guide.

ISO 27001: EU and global enterprise

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). It was published jointly by the International Organization for Standardization and the International Electrotechnical Commission. The current version is ISO/IEC 27001:2022, which restructured Annex A controls into 93 controls across four themes: Organizational, People, Physical, and Technological. The standard is documented in full on the official ISO page.

ISO 27001 differs from SOC 2 in one important way: it is a certification, not an attestation. An accredited certification body issues a certificate that is valid for three years, with required annual surveillance audits in years one and two. The framework is required by most EU and UK enterprise procurement teams, and is increasingly requested by APAC and LATAM buyers as the de facto international baseline.

What an ISO 27001 audit covers

The audit assesses two things: the ISMS itself (policies, scope, risk methodology, statement of applicability, internal audit program, management review) and the Annex A controls the vendor has declared applicable. A vendor does not have to implement all 93 controls — only the ones relevant to declared scope and risk. The Statement of Applicability documents which controls are in and out.

Cost and timeline

First certification typically costs $30,000 to $100,000 including gap assessment, consultant support, internal audit, and the accredited certification body fee. Timeline from kickoff to certificate is 6 to 9 months for mature security teams and 9 to 14 months for first-time security programs. The certificate is valid for three years; annual surveillance audits cost roughly 30 to 40% of the original audit.

Verticals where ISO 27001 is the default: EU enterprise software, UK government suppliers, global multinationals with European headquarters, and any vendor selling to public sector buyers in Germany, France, the Netherlands, or the Nordics. For enterprise sales motion guidance with European buyers, the enterprise AE guide covers the broader buyer dynamics.

FedRAMP: selling to US federal buyers

FedRAMP is the Federal Risk and Authorization Management Program, the standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by US federal agencies. It was established in 2011 and is jointly governed by the Department of Defense, Department of Homeland Security, and General Services Administration. The official program documentation is published at fedramp.gov.

FedRAMP authorization is mandatory for any cloud service offering used by a federal agency. There is no workaround. A vendor without FedRAMP cannot sell into federal procurement at any meaningful scale. The framework is built on NIST SP 800-53 controls, with the underlying NIST Cybersecurity Framework available at nist.gov/cyberframework.

Impact levels

FedRAMP defines three impact levels based on the potential impact of a security breach to confidentiality, integrity, or availability:

• Low — 156 controls, suitable for public information and basic operations. Approximately 6 to 9 month authorization timeline.
• Moderate — 323 controls, the most common level for SaaS vendors selling to federal civilian agencies. 12 to 18 month timeline.
• High — 410 controls, required for sensitive law enforcement, financial, and health data at federal scale. 18 to 24+ month timeline.

Authorization paths

A vendor pursues FedRAMP authorization through one of two paths: a sponsor agency that wants to use the product (the most common path), or the Joint Authorization Board for products with broad federal applicability. Both paths require engagement with a Third Party Assessment Organization (3PAO) to perform the independent security assessment. The average end-to-end process runs 18 to 24 months and costs $500,000 to $2 million depending on impact level and vendor size.

Worked example: A Series B cybersecurity vendor

A Series B cybersecurity vendor with $14 million ARR pursued a $400,000 multi-year deal with a regional bank. The buyer\'s security questionnaire arrived in week three of the cycle. The questionnaire required SOC 2 Type II, an ISO 27001 certificate, and a SIG Lite response. The vendor had SOC 2 Type II but had not yet started ISO 27001. Their CISO chose to delay the deal six weeks to complete the SOC 2 Type II audit cycle and provide a SOC 2 bridge letter rather than risk the deal stalling on missing ISO 27001 evidence. The deal closed in week 16, six weeks later than originally forecast. The lesson: knowing the buyer\'s required frameworks before the questionnaire arrives compresses the cycle. Reps in this position now use signal intelligence to surface the buyer\'s public vendor security policy in the first qualification call.

HITRUST: healthcare-adjacent buyers

HITRUST is a private-sector framework operated by the HITRUST Alliance that unifies controls from HIPAA, NIST SP 800-53, ISO 27001, PCI DSS, and GDPR into a single certifiable framework called the HITRUST CSF. The framework documentation and assessor directory live at hitrustalliance.net.

HITRUST is the dominant security framework for vendors handling Protected Health Information (PHI) in the United States. Large hospital systems, health insurers, pharmacy benefit managers, and clinical data networks increasingly require HITRUST CSF Validated Assessment from any vendor processing PHI. A HIPAA Business Associate Agreement remains required, but it is not a substitute for HITRUST certification.

Assessment types

HITRUST offers three assessment tiers: the e1 (essentials) for foundational cyber hygiene, the i1 (implemented) for moderate-maturity programs, and the r2 (risk-based) Validated Assessment — the gold standard most enterprise healthcare buyers require. The r2 assessment is performed by an external HITRUST Authorized Assessor and is valid for two years with an interim assessment in year one.

Cost and timeline

Total cost for r2 Validated Assessment typically runs $40,000 to $120,000 including readiness work, assessor fees, and remediation. Timeline is 9 to 14 months from kickoff to certification. The cost is materially higher than SOC 2 because HITRUST control depth is greater and the assessor engagement is longer.

Verticals where HITRUST is the priority framework: digital health platforms selling to integrated delivery networks, clinical workflow software, claims and payment software, behavioral health, and clinical decision support tools. For the broader healthcare B2B motion, the healthcare B2B sales guide covers the full buying committee dynamics.

How buyers ask for evidence

Most enterprise buyers ask for compliance evidence through four mechanisms. Knowing which one the buyer is using changes the response strategy.

The biggest mistake reps make at this stage is over-sharing. Most reps interpret a security questionnaire as a request to dump every artifact the vendor has. The best practice is the opposite. Send the minimum evidence package that satisfies the request, behind the right gating (NDA for SOC 2 Type II), and respond fast. Over-sharing creates security and competitive risk; it does not accelerate the deal.

How Gangly fits: The Compliance-Ready Workflow

Compliance evidence is a workflow problem, not a content problem. The artifacts already exist — the SOC 2 report, the ISO certificate, the questionnaire response library. The problem is that reps do not know which framework a specific buyer requires until the questionnaire lands in week three. By then the deal cycle has already absorbed the cost of the misaligned discovery call.

Gangly addresses that gap through a workflow we call The Compliance-Ready Workflow. The system surfaces buyer security maturity from intent signals and named requirements documented in past public sales, so reps know which framework to lead with on the first call. Three layers make it work.

Verdict. The reps who win in cybersecurity compliance-gated sales are the ones who arrive at the discovery call already knowing which framework the buyer requires. Gangly\'s Compliance-Ready Workflow makes that the default, not the exception. Starter is $99 per seat, Growth $199 per seat, and Scale $299 per seat — pick the tier that matches the number of frameworks the team needs to track. A free trial takes 5 minutes; a guided demo takes 25.

Common compliance evidence mistakes

Six mistakes account for the majority of evidence-related deal stalls. Each is correctable in the same week the rep learns it.

• 1

  Sending the full SOC 2 Type II report without a signed NDA

  Instead: Share a one-page trust summary or a SOC 3 report on first request. Send the full SOC 2 Type II report only after a mutual NDA is countersigned. Buyers respect the gating; auditors expect it.

• 2

  Leading with SOC 2 when the buyer is headquartered in Frankfurt

  Instead: Lead with ISO 27001 for EU and UK buyers. Mention SOC 2 as a complement. Inverting the priority signals that the rep has not read the buyer's vendor security policy.

• 3

  Sending the full penetration test report

  Instead: Send the pen test summary letter on company letterhead from the testing firm. The full report contains exploit detail that should never leave the vendor. Most buyers accept a summary; only deep technical reviewers escalate for more.

• 4

  Treating HIPAA compliance as a substitute for HITRUST

  Instead: A HIPAA Business Associate Agreement is required, but it is not a certification. HITRUST CSF Validated Assessment is the certification large healthcare buyers ask for. Confusing the two stalls deals at the hospital security review stage.

• 5

  Quoting a FedRAMP timeline of 6 months in a federal discovery call

  Instead: Be honest about the 18 to 24 month realistic process. Federal buyers know the timeline better than the vendor. Under-quoting destroys credibility at the first technical sync.

• 6

  Letting questionnaire responses sit in the AE's inbox for two weeks

  Instead: Return CAIQ Lite within 5 business days. Return full SIG questionnaires within 10. Every day of delay is a day a competing vendor uses to advance through the buyer's security review pipeline.

The connecting thread: send less, send faster, and gate the high-value artifacts behind NDA. For the qualification framework that helps map evidence requirements to a buyer\'s formal decision criteria, see MEDDPICC explained — particularly the "Decision Criteria" and "Paper Process" components, which is where compliance evidence lives in the deal.

What to do this week