SOC 2, ISO 27001, DIFC: the consultant's cheat sheet.

The compliance alphabet soup

Every B2B AI startup eventually gets the question: "are you SOC 2? ISO 27001? Can you handle DIFC?" The honest answer for a year-one company is usually "not yet, and here's what we're doing." But to give that answer credibly, you need to know what each audit actually checks for — not what the marketing pages say.

Here's the cheat sheet we hand to founders. It's not a substitute for a real auditor. It's the framing you need before you spend $40k on one.

SOC 2 — the American default

SOC 2 is an attestation report, not a certification. An auditor (a CPA firm) examines your controls against the AICPA's Trust Services Criteria and writes a report saying "yes, they're doing what they say they're doing." Two flavors:

• Type 1 — point-in-time. We checked on March 1st and the controls were in place. Cheap, fast, mostly useless for buyers.
• Type 2 — over a period (usually 6–12 months). We watched these controls operate for 12 months and they held up. This is what enterprise buyers actually want.

What it checks for in an AI system:

• Access controls — who can touch production data, MFA enforced, offboarding rituals
• Change management — pull request review, deploy traceability
• Incident response — you have a runbook and you test it
• Vendor management — your sub-processors are themselves attested
• Customer data protection — encryption at rest, in transit, key management

What it does not check: model behavior, prompt safety, hallucination rates, training data lineage. SOC 2 is about how you operate your system, not what the system does.

ISO 27001 — the European/international default

ISO 27001 is a certification — a formal stamp that says you've implemented an Information Security Management System (ISMS) per the standard. It's more prescriptive than SOC 2 and the audit is conducted by an accredited certification body, not a CPA firm.

What it checks for that SOC 2 doesn't:

• A documented risk assessment methodology you actually use
• A Statement of Applicability explaining which of the 93 Annex A controls you've adopted and why
• Management review meetings — yes, with minutes
• A more formal continuous improvement loop

For AI systems, ISO 27001's sibling ISO 42001 (released 2023) is the one that actually addresses AI-specific risks — model risk management, training data governance, bias monitoring. If your customer asks "are you ISO certified for AI," they probably mean 42001, not 27001.

DIFC — the Gulf data protection regime

DIFC (Dubai International Financial Centre) has its own data protection law — DIFC Law No. 5 of 2020 — modeled on GDPR but with its own quirks. If you're processing personal data of DIFC-registered entities or their customers, you fall under it.

What it actually checks:

• Lawful basis for processing (consent, contract, legitimate interest)
• Cross-border transfer restrictions — and the DIFC has its own list of "adequate" jurisdictions
• Data subject rights — access, deletion, objection
• Breach notification — 72 hours to the Commissioner, like GDPR
• For AI specifically: automated decision-making disclosures (Article 21)

The DIFC also operates under the broader UAE Federal Decree Law No. 45 of 2021 on personal data — so cross-Emirate deployments need to satisfy both.

What's actually noise

Things that get cited in compliance checklists but don't matter much:

• Long policies that nobody reads. Auditors prefer a 5-page policy that's followed to a 50-page one that's ignored.
• Tooling you bought to "be compliant" but didn't integrate. Vanta and Drata are useful; buying them and not connecting them is worse than nothing.
• "AI ethics statements" with no operational hook. If the statement doesn't map to a control someone can audit, it doesn't count.

The order we recommend

For an early-stage AI startup selling to enterprise:

1. Month 1–3: Foundational controls — MFA, sane access policies, encryption defaults, an incident response runbook
2. Month 3–6: Pick SOC 2 Type 1 if your buyers are US-heavy, ISO 27001 if EU/MENA-heavy
3. Month 6–18: Go for Type 2 / full certification
4. Month 12+: Add ISO 42001 if AI-specific governance becomes a buyer ask

Takeaway

Compliance is not one thing. It's three or four overlapping regimes, each checking a different slice of your operation. Know what each one actually wants before you commit to the audit — and remember that a tight, lived 5-page policy beats a beautiful 50-page one every time.