ISO27Auditor's comments

You don't need to use an external auditor that is your local audit provider, you just need to be sure that the audit provider (certification body) is accredited with an accreditation under IAF (eg IAS, UKAS, Dakks, COFRAC etc).

Any accredited certification body the world can audit you, and you can also save a lot by opting for a smaller certification body abroad instead of, for instance, one of the big names (I am an auditor for ISO 42001 and ISO 27001 as well)

ISO 27001 implementation and certification doesn't have to be overly expensive if you have the right team to help you. It also doesn't have to be time consuming as you can outsource a good deal of the work. I work as ISO 27001 auditor and I help companies get ISO certified. For a small company the combined cost of certification and external provider support ranges from $5k to $8k. Of course if you are a larger organisation the cost will go up, but not drastically.

IMO just get ISO 27001 to demonstrate that you are managing the sensitive information properly, and you will also improve your client confidence.

I work as ISO 27001 auditor, and help companies get ISO 27001 certified in no time (1-2 months), with a budget from 5k - 8k in total (external support and certification included). The goal it to keep it simple, save costs, and in the end get the company certified.

Agreed. As an ISO 27001 auditor I see a growing demand for security compliance certification / attestations (ISO 27001, SOC 2), and it's client driven 95% of the time. So, in the end, it’s often worth it to go ahead and do it.

ISO 27001 is more affordable (2k-3k for audit, and additional 1k-3k for external provider to manage everything for you), SOC 2 will set you back at least 10k