ISO 27001·9 min read

The SaaS Compliance Stack in 2026: What to Do First, Second, and Third

The SaaS compliance stack is not a checklist. It is a sequence. The teams that make the fewest expensive mistakes treat compliance the way they treat product architecture: build the foundation before the features, and match every framework to a specific business trigger rather than a general anxiety about "getting compliant."

This brief is opinionated. It says what to do first, second, and third — and what to leave out of the stack entirely. For the underlying framework selection logic, see the compliance framework guide.


The Sequencing Principle

The right order comes from three constraints in tension: buyer expectations (procurement gates that stall deals), control overlap (later frameworks reuse earlier work), and legal obligations (some frameworks apply automatically the moment a specific data type enters the platform).

Sequence layers by buyer volume, not by theoretical maturity. Build what closes the next 12 months of deals. Add the next layer when a specific trigger — a deal, a data type, a geography — makes it non-optional.


Layer 1: ISO 27001 (First 6 Months)

ISO 27001 is the correct foundation for almost every SaaS compliance stack. It is the international information security management system standard, and its clause 4-10 requirements plus Annex A control set define the operating rhythm that every downstream framework — SOC 2, HIPAA, GDPR — reuses.

Why first: ISO 27001 gives you an Information Security Management System (ISMS), not a point-in-time attestation. The management-system requirements (leadership commitment, risk assessment methodology, Statement of Applicability, internal audit, continual improvement) are the same discipline you will end up building for any serious compliance posture. Starting here means you never rebuild the foundation.

Universal recognition. European buyers recognize ISO 27001 reflexively. US enterprise buyers accept it. Global buyers prefer it. It travels in a way SOC 2 does not.

Timeline: four to six months from a standing start to a certification audit. See ISO 27001 for startups for the fast-track path and the ISO 27001 checklist for the specific clauses and controls.

What you build: ISMS scope statement, risk assessment methodology, Statement of Applicability against ISO 27001:2022 Annex A, access control policy, encryption standards, audit logging, incident response runbook, workforce training program, vendor management, internal audit program, management review cadence. Every one of these becomes reusable for SOC 2 and every framework after.

Common mistake: skipping ISO 27001 because a US customer asked for SOC 2 by name. The customer wants proof that a control environment exists and operates. ISO 27001 certification is that proof, in a report format US buyers will accept — and it means the SOC 2 audit that follows is a lens on the same evidence base, not a second program.


Layer 2: SOC 2 Type II (Months 6–9, When US Enterprise Deals Justify)

SOC 2 Type II is the US-buyer-facing attestation layered on the same underlying controls. Same control environment. Different report. CPA-attested to the AICPA Trust Services Criteria instead of certified against ISO 27001:2022.

Why second: SOC 2 and ISO 27001 share approximately 65 percent of their underlying controls. If you built ISO 27001 first, most of the SOC 2 evidence already exists. What you add is the CPA engagement, the Trust Services Category selection, and the report period. See ISO 27001 vs SOC 2 for the trade-off in detail.

The overlap is the whole point. Here it is visually — the intersection is where you get to reuse work.

SOC 2 and ISO 27001 overlap — 10 shared control families, ~8 weeks saved running them in parallel

→ Interact with the live overlap explorer: SOC 2 × ISO 27001

Trigger: US enterprise deal volume that gates on a SOC 2 report. Enterprise vendor security questionnaires reflexively ask for SOC 2 by name. Type I bridges deals that cannot wait for the Type II report period.

Timeline: two to three months from ISO 27001 certification to a SOC 2 Type II report period beginning, plus the audit period itself (six months typical). See SOC 2 for startups for the pragmatic mechanics and SOC 2 Type 1 vs Type 2 for the report selection.

What you build on top: Trust Services Category selection (Security minimum, Availability common), CPA firm engagement, evidence tagged to Common Criteria references, bridge letters between report periods. The controls themselves are what you already built for ISO 27001.

Common mistake: treating SOC 2 as a parallel program instead of a lens on the same control environment. Two auditors testing two separate evidence sets for the same underlying control is a self-inflicted operational tax. See the compliance controls overlap deep dive for the specific mapping.


Layer 3: Customer-Triggered Privacy Frameworks

The third layer is a set of privacy frameworks that trigger based on customer data flows, not strategic choice.

GDPR

Triggers when you accept EU-resident users. For any SaaS with self-serve sign-up, this is effectively immediate. Enforcement risk is proportional to scale, but procurement blocking for EU enterprise buyers is immediate. See GDPR for SaaS for the operational implementation.

CCPA

Triggers when you meet the revenue or data-volume thresholds and have California residents in your customer base. Less operationally intense than GDPR but requires opt-out mechanics, privacy policy updates, and consumer rights workflows. See CCPA requirements.

ISO 27701

Optional privacy extension to ISO 27001. Useful for demonstrating GDPR-aligned privacy controls to European buyers. Certify when European buyers explicitly ask for it or when GDPR obligations are heavy enough that a certified extension is worth the audit cost.


Layer 4: Category-Specific Frameworks

The fourth layer is domain-specific. Include only what your product surface actually triggers.

HIPAA (HealthTech)

Legal obligation the moment PHI touches your platform. Not optional. If PHI is in scope, HIPAA runs alongside Layer 1, not as a later add-on. See SOC 2 HIPAA compliance for the combined program design and the HIPAA compliance checklist for the operational foundation.

PCI-DSS (Payments)

Applies if you store, process, or transmit cardholder data. Most SaaS engineers this out with tokenization providers (Stripe, Adyen, Braintree) and reduces scope to SAQ A. Only add PCI-DSS as a full program layer if you cannot avoid cardholder data handling.

ISO 42001 (AI-Native SaaS)

Applies when AI materially drives product decisions and buyers are asking for AI governance attestation. Financial services, healthcare, and government buyers are the fastest to add ISO 42001 to vendor questionnaires. If AI is only internal productivity tooling, ISO 42001 is not on the critical path yet.


What Does Not Belong in the Series A-C Compliance Stack

Include only what has a trigger. The following do not belong in a Series A-C SaaS stack unless a specific business event drives them.

FedRAMP. An 18 to 24 month program with cost and complexity fundamentally different from commercial procurement. Only pursue if you have a federal contract in flight. StateRAMP similarly.

NIST 800-171 or CMMC. Only relevant for defense-adjacent contracts.

ISO 27017, ISO 27018. Extensions to ISO 27001 that most buyers do not track separately. Certify only when a specific buyer asks.

HITRUST. Additional attestation layer in healthcare that some large hospital systems require. Do not build it speculatively. Wait for a named deal.

SOX-relevant controls. Only relevant if you are pre-IPO or a public issuer. Not a Series A-C priority.

COBIT, ITIL, ISO 20000. IT service management frameworks. Not procurement gates. Skip.

Every framework you add is a control set to maintain, an audit to renew, and a policy document to keep current. Discipline about what belongs in the stack is discipline about what you have to operate later.


When to Break the Sequence

The default sequence assumes you have the runway to build the ISMS foundation before an attestation deadline hits. Break it when a specific business event compresses the timeline or shifts the anchor.

US-only Series A with a burning enterprise deal in flight. SOC 2 Type I first as a bridge, then ISO 27001 layered on. The deal wins now; the international foundation follows. This is the most common exception.

HealthTech from day one. HIPAA runs alongside Layer 1, not in Layer 4. It is a legal obligation the moment PHI touches the platform. Build HIPAA safeguards into the ISO 27001 ISMS from the start.

AI-native SaaS selling to regulated buyers. ISO 42001 belongs alongside Layer 1. It is the AI Management System standard and shares the Annex SL structure of ISO 27001 — build them together.

Government-vertical SaaS. FedRAMP or StateRAMP replaces the commercial stack. Different timelines, different cost profile, different runbook.

Pure US mid-market SaaS with no European or PHI or AI exposure and a hard SOC 2 procurement gate. SOC 2 first is defensible. The trade-off is that when the ISO 27001 conversation eventually surfaces — and for scaling B2B SaaS it usually does — you will retrofit the management-system requirements you skipped. That is not fatal; it is a known cost.


Reading the Stack Backwards

If you already have three frameworks and want to check whether the sequence is right: work backward from the deals that closed in the last four quarters. Which frameworks were procurement gates on which deals? Which frameworks did buyers reference but not require? Which frameworks did you build for a hypothetical buyer that never materialized?

Any framework in the stack that has never gated a deal, and has no legal obligation attached, is a candidate for deprioritization at renewal.


For per-framework detail, see the SOC 2 service page, ISO 27001 service page, HIPAA service page, GDPR service page, and ISO 42001 service page. For pre-mapped multi-framework bundles, see standard combinations. For the shared-control overlap that makes the stack economical, see the overlap explorer.


Frequently Asked Questions

What should be the first layer of a SaaS compliance stack? ISO 27001 for almost every SaaS. It gives you a management-system foundation the SOC 2 audit, HIPAA program, and GDPR obligations all reuse. Exception: US-only Series A with a burning enterprise deal that needs SOC 2 first — bridge with SOC 2 Type I and layer ISO 27001 on afterwards. HealthTech adds HIPAA alongside from day one because it is a legal obligation.

When should SOC 2 come into the SaaS compliance stack? Once the ISO 27001 ISMS is in place and US enterprise deals ask for SOC 2 by name. Approximately 65 percent of a SOC 2 audit is already covered by ISO 27001 evidence — see the live overlap explorer for the specific shared-control count.

Which SaaS compliance frameworks are customer-triggered rather than universal? GDPR (EU users), CCPA (California residents at threshold), HIPAA (PHI), PCI-DSS (cardholder data), ISO 42001 (AI-driven decisions for regulated buyers). Each activates based on a specific business trigger, not strategic choice.

What should NOT be in a Series A-C SaaS compliance stack? FedRAMP, StateRAMP, NIST 800-171, CMMC unless specific contracts require them. ISO 27017 and ISO 27018 as standalones unless buyers ask. HITRUST unless a named healthcare deal requires it. SOX unless you are pre-IPO.


Ready to Build the Right Compliance Stack?

ShieldKey Solutions designs sequenced compliance programs for SaaS companies. We match the framework layers to your buyer pipeline and data flows, so you build what closes deals rather than what looks comprehensive on a slide.

Schedule a scoping call →