ISO 27001 vs SOC 2 for Nigerian Tech Companies: Which, When, and Why

A Nigerian software company reaching the revenue threshold where enterprise clients begin requesting security certifications faces a decision that has become routine for US and UK firms but remains genuinely confusing for the Nigerian market: which certification to pursue first.

The confusion is understandable. ISO 27001 and SOC 2 are both credible information security certifications. Both are expensive and time-consuming to obtain. Both signal security maturity to enterprise buyers. The choice between them is not primarily a technical question — it is a market positioning question that depends on who your buyers are, where they are, and what questions they are trying to answer when they request a certification.

What Each Certification Actually Certifies

ISO 27001 is an international standard for information security management systems (ISMS), maintained by the International Organization for Standardization¹. It certifies that an organisation has implemented a systematic framework for managing information security risks. The standard specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. An ISO 27001 certificate means: this organisation has documented security policies and procedures — and an accredited certification body audited those policies, checked their implementation, and assessed their effectiveness against the standard's requirements.

ISO 27001 is control-agnostic in principle (it requires you to identify your controls based on your risk assessment) but references Annex A, which lists 93 information security controls across four domains. A typical ISO 27001 certification scope includes the systems, locations, and processes within the ISMS boundary.

SOC 2 is a framework developed by the American Institute of Certified Public Accountants (AICPA)². It is not technically an international standard — it is a US-specific audit framework, though it is widely recognised internationally. SOC 2 certifies that an organisation has implemented controls meeting the Trust Services Criteria (TSC) — five criteria covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most SOC 2 audits cover Security plus whichever additional criteria are relevant to the service.

SOC 2 comes in two types: Type I (point-in-time assessment — controls exist as designed at a specific date) and Type II (assessment over an observation period, typically 6–12 months, confirming controls operated effectively throughout the period). A SOC 2 Type II report is significantly more credible than Type I because it demonstrates operational effectiveness, not just design.

Who Requires Which

ISO 27001 is the standard requested by:

European enterprise clients
Middle Eastern enterprise clients
Regulated industries globally that specify ISO 27001 in procurement requirements
UK enterprise clients (particularly those in financial services and healthcare)
Nigerian regulators and large enterprise clients that reference international standards in their vendor requirements (CBN, NDPC, large banks)

SOC 2 is the standard requested by:

US enterprise clients, particularly SaaS buyers
US-based investors and acquirers conducting due diligence
Companies whose US clients have passed-through SOC 2 requirements to their vendors
B2B software companies selling into the US market

The simple heuristic: If your growth strategy targets Nigerian enterprise and African expansion, pursue ISO 27001 first. If your strategy targets US clients or US-backed businesses, SOC 2 Type II is likely more immediately relevant. If you are targeting both markets at scale, you will eventually need both — and ISO 27001 provides more implementation overlap with SOC 2 than commonly understood.

The Implementation Journey

Building toward ISO 27001

Phase 1: Gap assessment (4–8 weeks) Assess current practices against ISO 27001 requirements and Annex A controls. Identify gaps — missing policies, undocumented processes, absent controls. The gap assessment determines the scope and cost of the implementation.

Phase 2: ISMS design and documentation (8–16 weeks) Define the ISMS scope (what systems, locations, and processes). Conduct a formal information security risk assessment. Select controls from Annex A to address identified risks (documented in a Statement of Applicability). Write policies and procedures: information security policy, access control policy, incident response policy, business continuity plan, and many others.

Phase 3: Implementation and operation (3–6 months) Implement the controls. Train staff. Run the ISMS for a meaningful operating period — certification bodies want to see evidence that the ISMS has been operating, not just documented. This includes management reviews, internal audits, and corrective action records.

Phase 4: Certification audit Two-stage audit by an accredited certification body. Stage 1 reviews documentation and assesses readiness. Stage 2 is the full audit — interviews, evidence review, control testing. If the audit findings are acceptable, the certificate is issued. Surveillance audits annually, with full recertification every three years.

Timeline: 12–18 months from decision to certificate for a small-to-medium technology company building from scratch.

Cost for a Nigerian company: Certification body fees range from ₦2–5M for small organisations. Consultancy support (highly recommended for the first certification cycle) adds ₦1–3M. Internal staff time is the largest but least visible cost. Total investment: ₦3–10M over 12–18 months.

Building toward SOC 2

Phase 1: Scoping and gap assessment (4–6 weeks) Determine which Trust Services Criteria to include (Security is mandatory; others depending on what your clients care about). Assess current controls against the SOC 2 requirements. The gap assessment should identify precisely what needs to be implemented before the observation period can begin.

Phase 2: Controls implementation (8–16 weeks) Implement controls required by the Trust Services Criteria. For a technology company, this covers: logical access (user access management, multi-factor authentication), change management (code review, deployment approvals), risk assessment programme, vendor management, incident response, encryption in transit and at rest, monitoring and logging.

Phase 3: Observation period (3–12 months) For SOC 2 Type II, the auditor needs evidence that controls operated effectively over the observation period. The observation period is typically 6 months (sometimes 3 for first-time audits, sometimes 12). Start the observation period only when controls are in place and operating — evidence collected before controls were implemented is not useful.

Phase 4: SOC 2 audit Conducted by a CPA firm licensed by the AICPA or an AICPA-equivalent. The auditor reviews control design and tests operating effectiveness from the observation period. Output is the SOC 2 Type II report — a document shared under NDA with enterprise clients rather than a public certificate.

Timeline: 9–15 months from decision to first Type II report.

Cost: AICPA-licensed audit firm fees range significantly — ₦4–10M for a small organisation. Automation platforms (Vanta, Drata, Secureframe) that collect audit evidence continuously and connect to cloud providers cost $5,000–$15,000/year and significantly reduce audit preparation time. These platforms are not available through Nigerian providers; pricing is in USD.

The NDPC Factor

The National Information Technology Development Agency (NITDA) issued the Nigerian Data Protection Regulation (NDPR) in 2019³, and the Nigerian Data Protection Commission (NDPC) — established by the Nigeria Data Protection Act 2023 — now oversees its successor framework. The NDPC increasingly expects regulated entities — and the vendors they use — to demonstrate information security standards. ISO 27001 is explicitly referenced as an acceptable framework in NDPC guidance.

A Nigerian company pursuing ISO 27001 partially satisfies NDPC compliance expectations, supports the vendor assessments from Nigerian enterprise clients, and positions well for the CBN's vendor risk management requirements for companies in the financial services ecosystem. SOC 2 provides less direct value for Nigerian regulatory compliance.

The Practical Recommendation

For a Nigerian technology company in the ₦100M–₦500M revenue range building toward enterprise clients:

Start with ISO 27001 if: your clients are primarily Nigerian and African enterprises, European clients, or regulated industries that specify standards-based compliance.

Start with SOC 2 if: you are actively selling to US enterprise accounts, your technology stack is US cloud-native (AWS, GCP, Azure), and your US clients or prospects have specifically requested it.

Build an ISMS regardless: Whether you pursue ISO 27001 or SOC 2, the underlying requirement is the same — a documented, operating, audited information security management programme. Build the practices first; the certification is the audit attestation of those practices.

The worst outcome is spending twelve months pursuing a certification none of your actual or target buyers require, while losing deals to competitors who hold the certification your buyers do request. The first step is surveying your five to ten most important current and target clients about which certification they would value.

Building for SOC 2 from Day One: Our Journey — A practical account of what pursuing SOC 2 Type II certification looks like for a Nigerian SaaS company, from gap assessment through audit.
The CFO's Guide to Security ROI: Quantifying Breach Prevention — How to build the business case for the security certification investment, including the risk reduction model that justifies the cost.
Building a Zero-Trust System on a Startup Budget — Implementing the identity, access, and monitoring controls that both ISO 27001 and SOC 2 require, on a startup budget.

Sources

ISO/IEC 27001:2022, iso.org
AICPA SOC 2 framework, aicpa.org
NITDA, NDPR 2019
NDPC, established under NDPA 2023, ndpc.gov.ng