We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Indian SaaS Company case study hero background

Indian SaaS Company: SOC 2 + ISO 27001 Together: One Control Set, US Market Unlocked

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhaar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Indian SaaS Company: SOC 2 + ISO 27001 Together: One Control Set, US Market Unlocked

US enterprise buyers ask for SOC 2; global procurement teams ask for ISO 27001. Run separately, the two programmes double the work. This engagement shows how an Indian SaaS company entering the US market built one control set serving both frameworks — reusing roughly 95% of evidence — and cleared the security reviews that had been blocking its first US enterprise deals.

Client Overview

The client is an Indian SaaS company selling a B2B product into North American and global enterprise accounts, with engineering in India and a growing US sales presence. The driver was commercial: multiple US enterprise prospects had stalled in security review pending a SOC 2 report, while global prospects asked for ISO 27001. Scope covered the SaaS platform, its cloud infrastructure, and the corporate processes supporting it.

  • Industry: B2B SaaS (US market entry)
  • Region: India (delivery) / United States (market)
  • Regulatory driver: US enterprise procurement (SOC 2) + global tenders (ISO 27001)
  • Timeline: ISO certification + SOC 2 Type I in ~5 months; Type II window following
  • CyberSigma team: Programme lead, ISMS consultant, SOC 2 readiness consultant, audit coordinator

Challenge

The company faced two audit regimes with overlapping but differently framed demands, no existing ISMS, and live deals waiting. Running two isolated projects would have doubled evidence work and put engineering through two rounds of audit interviews.

  • US enterprise deals stalled in security review pending SOC 2
  • Global tenders separately requiring ISO 27001 certification
  • No existing ISMS, control matrix, or evidence collection process
  • Risk of duplicated effort running two frameworks as separate projects
  • Small platform team unable to absorb two audit cycles of interviews and evidence requests

Objectives

  • Design one control set mapped to both SOC 2 Trust Services Criteria and ISO 27001 Annex A
  • Maximise evidence reuse across the two frameworks
  • Coordinate both audits so shared controls are examined once
  • Achieve ISO 27001 certification and SOC 2 Type I quickly, then the Type II window
  • Unblock the stalled US enterprise contracts

Our Approach

1. Unified Control Framework

A single control matrix was designed with each control cross-mapped to SOC 2 criteria and ISO 27001 Annex A clauses, so one implementation and one artefact could satisfy both auditors.

2. ISMS Implementation

Risk assessment, Statement of Applicability, policies, and control operations were stood up once — framed to read correctly under both an ISO certification body and a CPA attestation firm.

3. Evidence Pipeline

Evidence collection was automated where practical (access reviews, change records, monitoring exports) and stored in a single library tagged by framework mapping, yielding roughly 95% reuse.

4. Coordinated Audit Sequencing

The ISO Stage 1/Stage 2 audits and SOC 2 Type I were sequenced so shared control walkthroughs happened once, with the Type II observation window opening immediately after.

5. Buyer Enablement

A security review pack — certificate, report summaries, and pre-filled questionnaire responses — was assembled for the sales team to move stalled deals through procurement quickly.

Solution

  • Single control matrix cross-mapped to SOC 2 TSC and ISO 27001 Annex A
  • One ISMS implementation serving both audit regimes
  • Shared evidence library with framework tagging, achieving ~95% reuse
  • Sequenced audit coordination so shared controls were examined once
  • Sales-ready security review pack for US enterprise procurement

Results

  • ISO 27001 certification and SOC 2 Type I achieved in ~5 months, Type II window underway
  • Approximately 95% of evidence reused across both frameworks
  • First US enterprise contracts signed after clearing stalled security reviews
  • Engineering interviewed once for shared controls instead of twice
  • One maintenance cadence now sustains both frameworks year-round

Client Testimonial

Running both frameworks as one programme meant our engineers answered each question once, not twice. The deals that had been stuck in security review for months closed within weeks of the reports landing.

Head of Compliance, the client

CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205