SOC 2 and ISO 27001 for Crypto Companies

정책 펄스
SOC 2 and ISO 27001 for Crypto Companies

Institutional counterparties ask for SOC 2 and ISO 27001 credentials at predictable points in the due diligence process. A bank weighing a fiat relationship wants a SOC 2 Type II report before it opens the account. An enterprise procurement team wants an ISO 27001 certificate before an API integration goes live.

This guide explains what each framework requires, how to choose between them, and how to get from your current state to a passed audit.

What Each Framework Covers

SOC 2 is an attestation. A licensed CPA firm performs it under AICPA standards and issues a detailed report on the controls behind the commitments you make to customers. The report evaluates those controls against the Trust Services Criteria. The five categories are Security, Availability, Processing Integrity, Confidentiality and Privacy. The common criteria CC1 through CC9 apply to every engagement, so auditors always test the Security baseline. The other categories add criteria only when your commitments involve them. A Type I report checks whether controls are suitably designed on a single date. A Type II report checks whether they operated effectively over a period of 3 to 12 months. Institutional buyers ultimately want the Type II. SOC 2 reports are restricted use documents. You share them under NDA.

ISO 27001 certifies your information security management system. An accredited certification body issues the certificate after a two stage audit. Stage 1 reviews your documented ISMS and confirms you are ready. Stage 2 tests whether the system actually operates. The 2022 edition of the standard requires a documented risk assessment and treatment process, a Statement of Applicability covering the 93 controls in Annex A, an internal audit and a management review. The certificate stays valid for three years with annual surveillance audits and a recertification audit at the end of the cycle.

The two frameworks overlap heavily at the control level. Build one control set mapped to both and you avoid paying for the same work twice.

Which to Pursue First

Follow your buyers. US enterprises and financial institutions usually ask for SOC 2. Buyers in Europe, the Middle East and Asia more often recognize ISO 27001. So do most licensing regulators. If your pipeline spans both regions, plan a combined program from the start. When timing is tight, a Type I report can serve as an interim credential while the Type II observation window runs.

Phase 1. Scope the Engagement

  1. Map your counterparties. List who is asking now and who will ask within the next year. Confirm what each will accept. This determines the framework, the criteria and the calendar.
  2. Scope the Trust Services categories to your actual commitments. Add Availability if your contracts promise trading or withdrawal uptime. Add Confidentiality if you hold institutional client data under confidentiality terms. Categories no buyer has requested add audit cost without commercial return.
  3. Set the system boundary around what your buyers are evaluating. If customer assets touch your wallets or signing infrastructure, those systems belong inside the SOC 2 system description or the ISMS scope. A report that excludes them will not serve its purpose.
  4. Work backward from the date you need the report. A Type II window cannot begin until your controls operate. For a company starting fresh, the report a bank will accept sits close to a year away. A Type I first gives your sales process something to show in the interim.

Phase 2. Assess the Gap

  1. Inventory your current state against the requirements in scope. Map every existing policy, procedure and piece of evidence to the criteria or clauses it addresses. Practice that exists but sits undocumented counts as a gap because auditors test through records.
  2. Weight the assessment toward the control areas in Phase 3. Key management and change management for deployed contracts generate the most findings for digital asset companies. Review them hardest.
  3. Turn findings into a remediation plan. Rank each gap by audit significance and remediation effort. Assign an owner and a date. Run the program against that plan.

Phase 3. Remediate

Most of the work matches what any technology company does. Build access control on least privilege, with hardware backed MFA wherever assets or production systems are reachable. Grant and revoke access on schedule when people join and leave. Run periodic access reviews and keep the records. Maintain a vendor register with risk assessments. Screen and train your people. Run vulnerability management with periodic penetration testing. Assign someone to review the logs and alerts. Test your backups and recovery. ISO 27001 adds the management system itself. You need a risk methodology, a Statement of Applicability, an internal audit and a management review, each producing records.

Several control areas need treatment specific to your business model.

  1. Document the full key lifecycle. Cover generation ceremonies, storage, signing thresholds, rotation and recovery. If a wallet requires three of five signers, write down how you chose the five and what happens when one leaves. Auditors treat signing infrastructure with the same rigor as any other privileged access.
  2. Rebuild change management around deployed code. You cannot patch a deployed contract. The control weight moves to pre deployment review, testing and independent audit. Govern your upgrade keys and proxy admin rights the same way. Keep the approval and deployment records as evidence.
  3. Register the real vendor list. Node providers, oracle networks, custody technology and bridge dependencies all belong on it. Record what each can touch and what happens when it fails.
  4. Extend incident response to on chain events. Cover signing key compromise and anomalous outflows. Run a tabletop exercise against those scenarios and keep the record. The record shows auditors the plan operates.
  5. Extend monitoring to the assets themselves. Logging and alerting should cover treasury and customer wallets as well as the infrastructure. Name the person who reviews the alerts.
  6. Drill recovery and include the keys. Show that assets remain recoverable if a signer, a facility or a vendor becomes unavailable. Keep the drill records.

Phase 4. Operate the Controls and Build the Evidence

  1. Generate evidence as the work happens. Tickets, approvals and review records need timestamps from the moment of the work they document. Reconstructed evidence is a common cause of Type II exceptions and Stage 2 nonconformities.
  2. Organize evidence against the request list. SOC 2 fieldwork runs off a document request list auditors call the PBC list. Assemble your package in that structure ahead of time and fieldwork shortens considerably.
  3. Run an internal audit before the external one. Someone who did not build the controls should test every requirement end to end. ISO 27001 makes this internal audit mandatory rather than optional rehearsal. Certification bodies verify that it happened and that you addressed the findings.

Phase 5. The Audit

  1. Pick an auditor with digital asset experience. A CPA firm or certification body that has never examined MPC custody or a contract deployment pipeline will either over test it or under test it. For ISO 27001, confirm the certification body holds accreditation from a recognized body such as ANAB or UKAS.
  2. Respect the independence rules. The CPA firm that signs your attestation cannot design the controls it tests. Certification bodies cannot consult for the companies they certify. Readiness support has to come from a separate firm or your own staff.
  3. Start the observation window only when the controls run. A window that starts early produces exceptions. Exceptions appear in the report your counterparties read.
  4. Plan for maintenance. Buyers generally expect a SOC 2 report covering a recent twelve month period plus a bridge letter for the gap since the period ended. ISO 27001 brings annual surveillance audits and recertification every three years. The program has to keep operating between audits.

The Return on Readiness

A current report or certificate shortens enterprise diligence. Many procurement teams accept it in place of their own security questionnaires. It also gives banking partners tested evidence instead of your own claims.

The second return is regulatory. Licensing regimes for digital asset firms examine technology risk and information security with expectations that track these frameworks closely. VARA's Technology and Information Rulebook does. So do the MAS Technology Risk Management Guidelines. DORA applies to crypto asset service providers authorized under MiCA and assesses the same control domains. A program built for SOC 2 or ISO 27001 supplies most of the security documentation a license application requires. Preparation done once serves both gates.

How CertiK supports audit readiness

CertiK prepares digital asset companies for both frameworks. The engagement runs from gap assessment through remediation to a documented evidence package and a pre audit review. Both frameworks call for penetration testing, so CertiK's offensive security team performs the technical validation and folds the results into the readiness package.

The team has worked on digital asset infrastructure across security audits and licensing engagements under VARA, MiCA and MAS. The control areas above are the ones it works in daily. Independence rules keep readiness separate from attestation and certification. CertiK fills that separate role.

FAQs

Is SOC 2 a certification? No. SOC 2 is an attestation. A licensed CPA firm issues a report on the design and operation of your controls. ISO 27001 produces a certificate from an accredited certification body. Reviewers notice when companies confuse the terms, so use them precisely in your own materials.

Which should a digital asset company pursue first? Follow your counterparties. US enterprises and financial institutions usually ask for SOC 2. Buyers in Europe, the Middle East and Asia recognize ISO 27001. So do most regulators. If your pipeline spans both, build one control set mapped to both frameworks from the start.

How long does readiness take? For a company starting without an existing program, plan on two to six months of remediation depending on maturity. The Type II observation window adds three to twelve months and three to six is common for a first report. Fieldwork and reporting add four to eight weeks. That puts the report a bank will accept roughly a year out. An ISO 27001 certificate can arrive sooner, but Stage 2 requires the ISMS to have actually operated, including a completed internal audit and management review.

Can our audit firm help us prepare? Only in limited ways. Independence rules bar the CPA firm that signs your attestation from designing or implementing the controls it will test. Accredited certification bodies cannot provide consultancy to the companies they certify. Readiness has to come from a separate firm or from your own team, which is why it exists as its own discipline.

Do smart contract audits or proof of reserves satisfy these frameworks? No single technical exercise does because both frameworks assess your whole program. Audit reports, penetration test results and reserve attestations all serve as strong evidence within the relevant control domains. If you already hold them, you start ahead.

관련 블로그

CertiK Named Official Vendor for Hub71, Bringing Security and Compliance Support to Abu Dhabi's Startup Ecosystem
새로운 · 회사 소식 ·공지사항

CertiK Named Official Vendor for Hub71, Bringing Security and Compliance Support to Abu Dhabi's Startup Ecosystem

CertiK has been named an official vendor for Hub71, offering portfolio companies a 20% service discount, a $200K subsidy pool, and free access to the CertiK Compliance Tool for UAE licensing and compliance.

CertiK, IDAI Summit 2026에서 AI 도입과 디지털 자산 사이버보안 인사이트 공유

CertiK, IDAI Summit 2026에서 AI 도입과 디지털 자산 사이버보안 인사이트 공유

CertiK은 IDAI Summit 2026에서 Web3 생태계의 AI 도입이 가속화됨에 따라 새롭게 부상하는 보안 위협을 분석했습니다. 간접 참조 취약점, 메모리 오염 등 AI 에이전트의 구조적 보안 리스크를 살펴보고, 디지털 자산 보호를 위한 지능형 실시간 감사의 중요성을 강조했습니다.

Skynet State of Digital Asset Regulations Report

Skynet State of Digital Asset Regulations Report

For companies operating or planning to scale globally, the implications are that multi-jurisdictional licensing is now a baseline requirement; AML compliance budgets must align with the scale of enforcement; and security audits are recurring, jurisdiction-specific costs, rather than one-time exercises.