Security metrics aren't interchangeable checkboxes. 724SOFTWARE maps out how to pair ISO 27001, SOC 2, and GDPR based on industry risk.
When evaluating a Vietnam software team, the right security certifications are not interchangeable checkboxes. ISO 27001 is an internationally recognised certification that proves a partner has built a functioning Information Security Management System (ISMS). SOC 2 is a US-origin attestation that demonstrates a service provider's controls around security, availability, and confidentiality, audited against the AICPA Trust Services Criteria. GDPR is a legal regulation governing how personal data of EU residents is collected and processed. In 2026, the combination you require depends on your industry, the data you share with your partner, and the markets your product serves. For most B2B SaaS companies and enterprises partnering with a Vietnam IT company, ISO 27001 is the foundation, SOC 2 Type II is the strongest US/ANZ market signal, and GDPR compliance is non-negotiable if your customers are in Europe.
TL;DR: Key Takeaways
ISO 27001 certifies a partner's internal ISMS through independent audit; SOC 2 attests specific controls for your service context; GDPR is a legal obligation, not a certification.
ISO 27001:2022 is the most universally respected standard for an offshore Vietnam IT company serving global clients.
SOC 2 Type II (vs. Type I) demonstrates controls working consistently over time, not just at a point in time.
GDPR compliance is mandatory for organisations that offer goods or services to, or monitor the behaviour of, individuals physically located in the EU, regardless of where your partner is located.
Requiring all three provides the broadest coverage for Fintech, Healthcare, and enterprise SaaS contexts.
About the Author: This article is authored by the team at 724SOFTWARE, a Vietnam-based technology company holding ISO 27001:2022 certification and SOC 2 Type II attestation, with over a decade of delivery experience across regulated industries including Fintech and Digital Healthcare in 10+ countries.
What exactly does ISO 27001 certify, and why does it matter for offshore partnerships?
ISO 27001 is an internationally recognised certification standard for information security management, covering access controls, cryptography, incident management, and business continuity planning. Critically, it is a third-party certification, not a self-assessment. An accredited external auditor reviews whether the organisation has designed, implemented, and is actively maintaining an ISMS aligned to a defined set of controls.
For a buyer selecting an offshore Vietnam software team, this matters because it removes a trust gap. Rather than relying on a partner's verbal reassurances about data handling, you can review a certificate issued by an accredited body. The current version is ISO 27001:2022, which added 11 new controls including threat intelligence, cloud security, and data masking compared to the 2013 edition. When requesting evidence, always confirm the certificate references the 2022 version.
What it covers: ISMS design, risk treatment, access controls, incident response, physical and logical security.
Who issues it: Accredited certification bodies (e.g., BSI, Bureau Veritas, SGS).
Renewal cycle: Annual surveillance audits plus a full recertification every three years.
Best for: UK, EU, APAC, and Singapore buyers; government and enterprise procurement requirements.
How does SOC 2 differ from ISO 27001, and when should you require it?
Building on the ISO 27001 foundation, a separate but complementary question concerns US and Australian buyers: SOC 2. Where ISO 27001 is a certification with a prescribed control set, SOC 2 is an attestation report produced by a CPA firm against the AICPA's Trust Services Criteria. The partner defines its own control objectives and the auditor assesses whether those controls were designed and operated effectively.
"SOC 2 is an attestation focusing on customised security programs, while ISO 27001 is a strict certification for securing data through prescribed controls."
Dimension | ISO 27001 | SOC 2 Type I | SOC 2 Type II
|
|---|---|---|---|
What it proves | ISMS is certified against a prescribed standard | Controls are designed adequately at a point in time | Controls operated effectively over a review period (typically 6-12 months) |
Issued by | Accredited certification body | Licensed CPA firm | Licensed CPA firm |
Geographic weight | EU, UK, APAC, Singapore | US, Canada | US, Canada, ANZ |
Control flexibility | Prescriptive (Annex A controls) | Customisable | Customisable |
Strength of assurance | High (ongoing surveillance) | Moderate (point in time) | High (operational evidence over time) |
If your market is the US or Australia, require SOC 2 Type II specifically. Type I only shows that controls exist on paper; Type II proves they worked consistently over the audit period. A partner that only offers Type I should be asked when their Type II review period will complete.
Is GDPR a certification you can require, or is it a different category entirely?
Stepping back from the technical audit world, GDPR occupies a fundamentally different category. It is not a certification a partner earns. It is a legal regulation under EU law that binds any organisation that offers goods or services to, or monitors the behaviour of, individuals physically located in the EU, regardless of where that organisation is physically located. A Vietnam IT company building software that handles data for a German SaaS product must comply with GDPR.
GDPR compliance as a partner requirement means confirming:
The partner can act as a compliant data processor under Article 28 and will sign a Data Processing Agreement (DPA).
They have mechanisms for handling data subject rights requests (deletion, portability).
They maintain records of processing activities.
Their sub-processors (cloud providers, tooling vendors) are also GDPR-compliant.
Importantly, ISO 27001 and GDPR are complementary rather than redundant. ISO 27001 provides the technical and organisational measures that GDPR Article 32 requires you to have in place, so an ISO 27001-certified partner is significantly closer to GDPR readiness than one without it.
Which combination of certifications should you require based on your industry and geography?
A related but distinct question is which combination to actually stipulate in a vendor assessment. The answer is context-dependent, but the following framework covers the most common buyer profiles in 2026.
Buyer Profile | Minimum Requirement | Recommended
|
|---|---|---|
B2B SaaS (US market) | SOC 2 Type II | SOC 2 Type II + ISO 27001:2022 |
B2B SaaS (EU / UK market) | ISO 27001:2022 + GDPR-compliant DPA | ISO 27001:2022 + SOC 2 Type II + GDPR |
Fintech / Banking | ISO 27001:2022 + SOC 2 Type II | All three plus penetration testing evidence |
Digital Healthcare | ISO 27001:2022 + GDPR (or HIPAA if US) | All three; HIPAA BAA if handling US patient data |
Enterprise ERP / Operations | ISO 27001:2022 | ISO 27001:2022 + SOC 2 Type II |
Singapore / APAC enterprise | ISO 27001:2022 | ISO 27001:2022 + SOC 2 Type II |
For most mid-market buyers evaluating a Vietnam software team, ISO 27001:2022 is the non-negotiable baseline. SOC 2 Type II adds US/ANZ market credibility. GDPR compliance is mandatory whenever your product involves offering goods or services to, or monitoring the behaviour of, individuals physically located in the EU.
724SOFTWARE holds ISO 27001:2022 certification and SOC 2 Type II attestation, and operates as a GDPR-compliant data processor, covering this full combination for clients in Fintech, Digital Healthcare, and enterprise SaaS.
Frequently Asked Questions
Can a Vietnam IT company realistically hold all three: ISO 27001, SOC 2, and GDPR compliance?
Yes. ISO 27001 and SOC 2 are audit-based and achievable regardless of geography. GDPR compliance is a legal posture, not a geography-locked requirement. A partner with ISO 27001:2022 already has most of the technical measures GDPR requires, making all three achievable and increasingly common among serious Vietnam software teams serving global clients.
What is the difference between SOC 2 Type I and SOC 2 Type II, and which should I insist on?
Type I confirms that controls were designed correctly at a single point in time. Type II confirms those controls operated effectively across an audit period, typically six to twelve months. For production systems or regulated-data environments, always require Type II.
Does ISO 27001 automatically mean the partner is GDPR compliant?
No, but it significantly advances readiness. ISO 27001 provides the technical and organisational security measures that GDPR mandates under Article 32. However, GDPR also requires specific legal mechanisms (DPAs, data subject rights processes, lawful basis for processing) that go beyond ISO 27001's scope. You need both.
What documents should I ask a Vietnam software partner to provide during due diligence?
Request the actual certificate (not a logo), confirming the issuing body, scope, and expiry date for ISO 27001. For SOC 2, request the full Type II report with the auditor's name and review period. For GDPR, request a signed DPA and their record of processing activities template. Also ask whether their subprocessors (cloud, AI tools) are documented.
Is HIPAA relevant when working with a Vietnam development team on a healthcare product?
If the product handles protected health information (PHI) for US patients, HIPAA applies to business associates, including offshore development teams. You would need the partner to sign a Business Associate Agreement (BAA). For non-US healthcare markets, ISO 27001 and GDPR typically cover the required regulatory posture.
How often should I re-verify a partner's certifications?
ISO 27001 certificates should be confirmed annually, as they require annual surveillance audits. SOC 2 Type II reports are typically issued annually and you should request the most recent period. Treat any gap of more than 12 months in audit coverage as a flag worth raising directly with the partner.
Do security certifications replace the need for contractual data protection clauses?
No. Certifications demonstrate capability and process maturity; contracts enforce legal accountability. Always pair certification requirements with a DPA for GDPR contexts, clear data handling schedules in your MSA, and incident notification timelines written into the SLA.
About 724SOFTWARE
724SOFTWARE is a Vietnam-based technology company with 200+ professionals, 58% of whom are senior-level engineers, delivering software solutions across 10+ countries. The company holds ISO 9001, ISO 27001:2022 certification, SOC 2 Type II attestation, and operates as a GDPR-compliant data processor, making it one of the more comprehensively certified Vietnam software teams for clients in Fintech, Digital Healthcare, and enterprise SaaS. 724SOFTWARE integrates generative AI tools including Claude and Cursor into the SDLC to accelerate delivery by approximately 30%. With a 95% client retention rate and the ability to scale dedicated teams from 1 to 50+ pre-vetted engineers in 2-4 weeks, the company operates as a long-term technology partner, not a project-by-project vendor.
Evaluating a Vietnam software partner and want to verify security posture before signing a contract? Talk to the 724SOFTWARE team about our ISO 27001:2022, SOC 2 Type II, and GDPR compliance documentation, and how we structure data protection into every dedicated team engagement.
