Skip to content
BastionSec
Contact us
For B2B SaaS with a stalled enterprise deal

Enterprise deal stuck on SOC 2 (or ISO 27001)? Let's unblock it.

The revenue is yours: one certificate stands in the way. We get you ready in the shortest realistic time, with real security that holds up in front of your customer's CISO. Nothing for show.

  • We take you all the way to an accredited body / an independent CPA: that's what makes your certification hold.
  • Write to us and we'll figure out what you need: we'll tell you exactly where you stand.
Unblock your deal, talk to usSee a sample report

We know the scene. You're living it right now.

The customer's security questionnaire just landed. Or a contract clause: "vendor must be SOC 2 / ISO 27001 by signature." Your sales team is ready, they love the product, the price is agreed, and everything stalled on a single line. Meanwhile the quarter is burning, the buyer has three other vendors on the shortlist, and you can't confidently say "it'll take X weeks."

The cost of waiting

  • Real revenue frozen now, not an abstract risk.
  • Every week of uncertainty is an opening for a competitor who's already certified.
  • The worst outcome: buying the "fast version" and watching the customer's auditor reject it, losing the deal and the time.

First question: does your customer want SOC 2 or ISO 27001?

They're not the same thing, and picking the wrong one costs months. In short:

SOC 2 is an attestation (AICPA standard), the typical requirement of US enterprise customers. There's Type I (controls are well-designed at a point in time) and Type II (controls actually operated over an observation period, usually 3-12 months). The report is signed by an independent CPA, not by us.

ISO/IEC 27001 is a certification (international standard), the typical requirement of EU customers. The certificate is issued by an accredited body after an audit (Stage 1 + Stage 2). Valid for a 3-year cycle with annual surveillance.

When you reach out we read your customer's questionnaire or contract together and tell you which one you actually need, and whether you need both.

Go deeper

The standard, and who delivers it.

SOC 2: the service

Support to SOC 2 attestation for US enterprise customers.

Go to service

ISO 27001: the service

Support to ISO 27001 certification for EU customers.

Go to service

What SOC 2 is

AICPA attestation, Type I and Type II, observation period: the informational pillar.

Understand the standard

What ISO 27001 is

International certification, Annex A, 3-year cycle: the informational pillar.

Understand the standard

How we actually unblock it

One method, applied to your case: initial analysis → readiness → implementation → audit → attestation/certification → maintenance. AI speeds up the repetitive part (documentation, evidence collection, first control mapping); people do the analysis, the pentest, and validate everything. That's how we go faster without cutting quality.

  • Initial analysis on your questionnaire/contract: we tell you which standard, where you stand, what's left.
  • Readiness: we close the gaps on policies, controls, evidence (mapped to the 93 Annex A controls for ISO 27001 / to the Trust Services Criteria for SOC 2).
  • Real security, not just paper: pentest and hardening included where needed, that's where we come from.
  • Audit support: we coordinate the accredited body (ISO) or the CPA (SOC 2). We don't sign it ourselves.
  • Maintenance: annual surveillance (ISO) or the cyclical report refresh (SOC 2), we keep it alive.

Why a new brand should hold up in front of their auditor

  • We come from real security. Pentests, hardening, Zero Trust, identity, governance: we do it daily, we don't churn out PDFs.
  • Reports that hold up. Look at an anonymized sample security report: executive summary, CVSS-rated findings, remediation, retest. It's exactly what your customer's CISO wants to see.
  • Independence = validity. We guide you, but an independent accredited body / CPA assesses and signs. That's precisely what makes your certification stand up to the customer's procurement.
  • We practice what we sell: our Trust Center is live.
Customer names, logos and named references appear only after written consent. Until then we show only anonymized proof, our method, and our own Trust Center.

What happens after you reach out

A clear path, so you always know where you stand.

  1. 1

    Initial analysis

    We read your customer's requirement, assess your readiness, give you your real timeline, and tell you which standard you need.

  2. 2

    Proposal

    Clear scope, deliverables, timeline, price. No surprises.

  3. 3

    Kickoff

    We start: readiness → implementation → audit → attestation/certification.

Honest timeline, per standard

  1. 1

    ISO 27001 : typical prep 3-6 months

    Depends on readiness, then the body's audit (Stage 1 + Stage 2) and the 3-year cycle with annual surveillance.

  2. 2

    SOC 2 Type I : after readiness, point-in-time

    Control design at a point in time: the first result you can show the customer.

  3. 3

    SOC 2 Type II : readiness + observation 3-12 months

    The observation period can't be compressed; you can often show the customer a credible path (Type I first, Type II to follow).

We won't throw random numbers at you: we talk it through and give you your real timeline, not an average.

The three things you're asking yourself right now

Does my customer need SOC 2 or ISO 27001?

It depends on the customer: US enterprises almost always ask for SOC 2; EU customers typically ask for ISO 27001. Some ask for both. When you reach out we read their questionnaire or contract and tell you for sure.

How long does it really take to unblock the deal?

It depends on readiness. ISO 27001: typical prep 3-6 months + the body's audit. SOC 2 Type I: point-in-time after readiness. SOC 2 Type II requires an observation period (3-12 months) before the report: that can't be compressed, but you can often show the customer a credible path (e.g. Type I sooner, Type II to follow). We quantify it for your case.

What if their auditor or CISO rejects what I obtained?

Unlikely, because we don't sell paper: you go through real controls, a real pentest, and an independent body or CPA that assesses and signs. That independence is exactly what makes the result procurement-proof.

Why not just use Vanta or Drata?

You can: they give you great software. But the work, policies, controls, evidence, pentest, audit, is on you. We do it with you, pentest included, and take you all the way to the body or CPA. We often use similar software as a tool; the value is in who drives it.

Do you guarantee I'll get certified?

No, and be wary of anyone who promises it: the outcome depends on an independent body or CPA, which is exactly what makes it valid. What we guarantee is to get you genuinely ready and to tell you upfront, from the first conversation, if and how much is missing.

Continue the path

Audit & Pentest

Our strongest proof point: a real pentest included in the path.

Learn more

How we work

The transparent method that dispels "for show", and sets us apart from platforms.

See our method

Continuous security

After the audit: maintenance, annual surveillance and report refresh.

Explore the retainer

There's a deal waiting. Let's unblock it.

Tell us your situation: we'll tell you honestly which standard you need and how long it takes, in your case, not on average.

Unblock your deal, talk to us