ISO 27001
ISO/IEC 27001 (Information Security Management Systems)
Any organisation selling into international enterprise, especially EU/UK and APAC. Often a procurement prerequisite outside the US.
European or APAC enterprise prospect makes ISO 27001 a hard requirement, or when expanding outside the US for the first time.
Documented ISMS plus 93 Annex A controls. Three-year certification cycle with annual surveillance audits. Heavier paperwork burden than SOC 2.
Brings in international procurement, legal, and the global head of security. Often requires regional certification body engagement.
The international companion to SOC 2. Sold as "the same audit pain, but for the deals that pay in euros and yen." Buyers who already have SOC 2 evaluate add-on-cost vs separate-program-cost; greenfield ISO buyers evaluate full programs.