Compliance is a tax, but not all tax is wasted
"We need to be SOC 2 compliant" gets thrown around in sales conversations and rarely understood by the team that has to deliver it.ISO 27001
What it is: international standard for information security management systems (ISMS). Certification by an accredited body, valid 3 years with annual surveillance audits.What it requires: a documented ISMS — risk assessment, statement of applicability, controls (Annex A has 93 controls in the 2022 revision), management review, internal audit.
Effort: 6-12 months for first certification, ongoing annual investment. Documentation-heavy.
SOC 2
What it is: American attestation report on operational controls. Five trust services criteria: security (mandatory), availability, confidentiality, processing integrity, privacy.What it requires: continuous control operation over a period (typically 6-12 months for Type II), evidence of control operation throughout, audit by a CPA firm.
Effort: significant evidence-gathering during the audit period. Tools like Drata, Vanta, Secureframe automate much of the evidence collection.
Use when: selling to US enterprises requiring SOC 2 Type II report.
GDPR (EU) / KVKK (Turkey)
What it is: data protection regulations. Not certifications — laws with enforcement.What they require:
- Lawful basis for processing personal data
- Data subject rights (access, rectification, erasure, portability)
- Privacy notices, consent management
- Data protection impact assessments for high-risk processing
- Breach notification within 72 hours
- Data Protection Officer (DPO) for some organisations
- Records of processing activities
- Data processing agreements with vendors
- Cross-border transfer mechanisms
KVKK is structurally similar to GDPR with TR-specific differences (Veri Sorumluları Sicili registration, different supervisory authority).
PCI-DSS
For organisations storing, processing, or transmitting cardholder data. Most small merchants qualify for SAQ tiers; larger merchants need QSA audit.The pragmatic approach: use a payment processor (Stripe, iyzico, PayTR) that's PCI-compliant; structure your flow so card data never touches your servers. Compliance scope drops dramatically.
The practical sequence for a startup
- GDPR / KVKK if you operate in those markets — non-optional, regulatory
- SOC 2 Type II — if your ICP is US enterprise
- ISO 27001 — if your ICP is European or global enterprise
- Industry-specific — PCI-DSS, HIPAA, FedRAMP — only if your business needs them
Don't pursue all simultaneously.
The audit-vs-security gap
A common pattern: a company is SOC 2 compliant and still has insecure practices. Compliance frameworks specify processes; they don't guarantee security posture. The team that treats compliance as the security floor + does its own threat modelling on top is the team that's both compliant and secure.Tools that help
- Drata, Vanta, Secureframe — compliance automation, evidence collection
- OneTrust — privacy management, GDPR-focused
- Manual + spreadsheets — works for small teams; doesn't scale
The cost reality
- ISO 27001 first certification: $25-100k+
- SOC 2 Type II annual: $15-50k for the audit + tool subscriptions
- Internal effort: 10-30 % of one engineer's time during audit periods
One pattern we'd warn about
Pursuing compliance without commercial demand. "We should be ISO 27001 because it'd be good" without a specific deal or regulatory requirement is often premature.One pattern that always pays off
Building compliance evidence into normal operations from day one — automated logs, ticket flows, asset inventories, access reviews. Retrofitting evidence at audit time is much more expensive than capturing as you go.What's your compliance roadmap?
