Figure 1. SOC 2 vs ISO 27001 at a glance — a US attestation report and an international certification meeting around a shared security agenda.
In December 2025, a Series B SaaS company in Austin lost a $2.4M enterprise contract to a competitor. The reason was not price, features, or security.
The reason was paperwork — no SOC 2 Type II report. Their prospect’s procurement team required it as a hard gate. The CISO had a Type I, believed it was enough, and learned otherwise at the eleventh hour.
That loss captures the 2026 reality of SOC 2 vs ISO 27001 for US SaaS leaders. Two frameworks dominate enterprise security reviews.
SOC 2 is a US AICPA attestation report. ISO 27001 is a globally recognized cyber security risk management framework and management-system certification. Picking the wrong one costs deals, time, and budget.
| Key Takeaways — SOC 2 vs ISO 27001 |
| SOC 2 vs ISO 27001 is the most common security-certification decision facing US SaaS leaders in 2026. SOC 2 is a US AICPA attestation report; ISO 27001 is an internationally recognized certification awarded by an accredited body. |
| SOC 2 vs ISO 27001 structure: SOC 2 tests controls against the Trust Services Criteria (security + up to four optional TSCs) with 61 criteria and roughly 300 points of focus; ISO 27001:2022 requires a full ISMS plus 93 Annex A controls across four themes (Organizational 37, People 8, Physical 14, Technological 34). |
| Controls overlap by 65-90% between the two frameworks. A well-designed joint program yields both deliverables in 12-24 months and saves 20-35% versus running two separate engagements. |
| Cost reality for SaaS in 2026: SOC 2 Type I ranges from $10K-$25K total; SOC 2 Type II ranges from $30K-$80K; ISO 27001 certification ranges from $45K-$120K; a bundled SOC 2 + ISO 27001 program runs $75K-$150K. |
| Timeline: SOC 2 Type I lands in 2-4 months; SOC 2 Type II in 6-15 months; ISO 27001 initial certification in 6-15 months; a bundled program in 12-24 months. |
| Choosing between SOC 2 vs ISO 27001: US SaaS selling to North American enterprise customers leads with SOC 2 Type II; SaaS selling into EU, UK, APAC, or regulated global industries leads with ISO 27001. |
| 2026 pressure drivers: SEC cybersecurity disclosure rule, FTC Safeguards amendments, EU NIS2 Directive enforcement, and enterprise procurement gates that demand SOC 2 Type II or ISO 27001 evidence before vendor onboarding. |
This guide compares SOC 2 vs ISO 27001 across seven decision factors that matter to US SaaS founders, CISOs, and cybersecurity risk management leaders: what each standard actually is, structure and criteria, audit mechanics, cost, timeline, customer expectations, and the 65-90% overlap that lets ambitious teams pursue both in one coordinated program.
SOC 2 vs ISO 27001: What Each Standard Actually Is
SOC 2 vs ISO 27001 in one line: SOC 2 is a US attestation report produced by a licensed CPA firm against the AICPA Trust Services Criteria; ISO 27001 is an international certification awarded by an accredited body against a management-system standard plus 93 Annex A controls.
SOC 2 vs ISO 27001: What SOC 2 Actually Is
SOC 2 is not a certification. It is an attestation report issued by a licensed US CPA firm under AICPA standards SSAE 18 and AT-C 205. The auditor examines your controls against the AICPA 2017 Trust Services Criteria (Revised Points of Focus 2022) and writes a detailed opinion. Customers review the report directly.
Two report types exist. SOC 2 Type I describes the design of controls at a single point in time. SOC 2 Type II tests operating effectiveness across a 6-12 month observation window. US enterprise procurement treats Type II as the baseline — Type I is an interim milestone, not a finish line.
Scope is modular. Security is the mandatory Trust Services Category. Availability, Processing Integrity, Confidentiality, and Privacy are optional categories added based on the services you deliver.
Most SaaS reports cover Security plus Availability and Confidentiality. Full five-category reports are rare.
SOC 2 vs ISO 27001: What ISO 27001 Actually Is
ISO/IEC 27001 is an international certification. An accredited certification body — ANAB-accredited in the US, UKAS in the UK — audits your Information Security Management System and issues a certificate valid for three years.
Annual surveillance audits keep the certificate live between recertification cycles.
ISO 27001 is governance-first. Clauses 4 through 10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
Annex A then adds 93 security controls across four themes. Deliverables include a Statement of Applicability, risk treatment plan, internal audit records, and the certificate itself.
The current version is ISO/IEC 27001:2022. The 2013 version was formally retired on 31 October 2025 under a three-year transition window set by ISO and IAF.
Organizations still citing 27001:2013 in 2026 are out of transition and must be on the 2022 version.
| Dimension | SOC 2 | ISO 27001 |
| Type | Attestation report | Certification |
| Issuer | Licensed US CPA firm (AICPA) | Accredited certification body (ANAB, UKAS, etc.) |
| Scope basis | Trust Services Criteria (TSC 2017 / rev 2022) | ISMS + Annex A (ISO 27001:2022) |
| Governing standard | SSAE 18, AT-C 205 | ISO/IEC 27001:2022 + ISO/IEC 27002:2022 |
| Current edition | TSC 2017 revised 2022 | ISO 27001:2022 (2013 retired 31 Oct 2025) |
| Output | Readable audit report with opinion | Certificate + Statement of Applicability |
| Home market | United States (North America) | Global, strongest in EU, UK, APAC |
SOC 2 vs ISO 27001: Structure, Criteria, and Controls
SOC 2 vs ISO 27001 structure differs by design. SOC 2 uses 61 criteria with roughly 300 points of focus across up to five Trust Services Categories.
ISO 27001:2022 uses ten clauses plus 93 Annex A controls grouped into four themes. SOC 2 tests operation. ISO 27001 tests the whole management system.
SOC 2 vs ISO 27001: The Trust Services Criteria
SOC 2 is anchored on the five Trust Services Categories. Security (also called Common Criteria) is always included and carries 33 criteria.
Availability, Processing Integrity, Confidentiality, and Privacy add extra criteria if selected. Total criteria range from 33 (Security only) to 61 (all five).
The AICPA 2022 Revised Points of Focus updated illustrative guidance for cloud risk, third-party risk, and privacy without changing the underlying 2017 criteria. That keeps mature SOC 2 programs stable while pushing new evidence expectations into audits.
SOC 2 vs ISO 27001: The 93 Annex A Controls
ISO 27001:2022 restructured Annex A from 114 controls across 14 clauses to 93 controls across four themes: Organizational (37), People (8), Physical (14), and Technological (34).
The four-theme structure simplifies ownership — HR owns People, IT owns Technological, facilities owns Physical.
Eleven new controls were added in 2022 — threat intelligence, information security for cloud use, ICT readiness for business continuity, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, and physical security monitoring. These align Annex A with modern cloud-first SaaS reality.
Clauses 4-10 cover the ISMS itself. This is where ISO 27001 diverges most from SOC 2: a certified ISMS requires a documented risk treatment process, internal audit program, management review, and continual improvement loop — all auditable.
For a deeper walk-through, see a guide to risk assessment methodology and the risk management lifecycle.
SOC 2 vs ISO 27001: How the Two Structures Compare
| Element | SOC 2 | ISO 27001:2022 |
| Top-level organizer | 5 Trust Services Categories | 10 clauses + Annex A |
| Control count | 61 criteria (~300 points of focus) | 93 controls |
| Control grouping | By TSC category | 4 themes (Org 37, People 8, Phys 14, Tech 34) |
| Management system | Not required | Mandatory ISMS (Clauses 4-10) |
| Risk assessment | Implicit | Explicit, documented, treated |
| Internal audit | Not required | Mandatory before Stage 2 |
| Management review | Not required | Mandatory recurring cadence |
SOC 2 vs ISO 27001: Timeline, Process, and Audit Journey
SOC 2 vs ISO 27001 audit mechanics differ in sequence and deliverable. SOC 2 runs a readiness phase, an observation window, and auditor fieldwork that ends in a report.
ISO 27001 runs Stage 1 (documentation review), Stage 2 (implementation audit), issues the certificate, then does annual surveillance audits for three years before recertification.
SOC 2 vs ISO 27001: The SOC 2 Audit Flow
SOC 2 Type I typically takes 2-4 months. You scope the TSCs in, implement controls, collect evidence, and the CPA firm issues a point-in-time report. Most US SaaS use Type I as an interim deliverable that unblocks mid-market deals while Type II is in flight.
SOC 2 Type II adds an observation window of 6-12 months. The auditor samples evidence across that window to test whether controls operated effectively. Total elapsed time runs 6-15 months from kickoff. Annual renewal is standard; enterprise customers expect a continuous reporting cadence.
SOC 2 vs ISO 27001: The ISO 27001 Audit Flow
ISO 27001 initial certification follows a two-stage audit. Stage 1 reviews documentation — policies, ISMS scope, risk treatment plan, Statement of Applicability. Stage 2 tests implementation with on-site or remote fieldwork. Pass both and the certification body issues a three-year certificate.
Years two and three require surveillance audits — shorter than the initial engagement, focused on selected controls plus any changes in scope or risk.
Year four triggers recertification, effectively a repeated Stage 2 audit. This is where ISO 27001 enforces the continual-improvement loop that a best practices for a risk based internal audit program should already support.
SOC 2 vs ISO 27001: Cost Reality for SaaS in 2026
Figure 2. SOC 2 vs ISO 27001 cost and timeline ranges in 2026 — bundled programs add up-front cost but compress elapsed time.
SOC 2 vs ISO 27001 cost in 2026: SOC 2 Type I runs $10K-$25K; SOC 2 Type II $30K-$80K; ISO 27001 initial certification $45K-$120K; and a bundled SOC 2 + ISO 27001 program $75K-$150K. Audit fees are 30-50% of total cost — the rest is internal time, tooling, and remediation.
SOC 2 vs ISO 27001: Where the Money Actually Goes
Audit fees are the visible line item but rarely the biggest one. A SOC 2 Type II audit typically costs $15K-$30K in fees. Total SOC 2 cost usually runs two to three times the audit fee — staff time, GRC tooling, remediation, penetration testing, and policy consulting add the rest.
ISO 27001 is typically 1.5 to 2 times more expensive than SOC 2. An accredited certification body charges $25K-$60K across Stage 1 and Stage 2.
Surveillance audits in years two and three add $10K-$20K per year. Recertification in year four costs roughly what the initial engagement did.
SOC 2 vs ISO 27001: Hidden Costs to Budget For
Four line items catch teams by surprise. First, GRC tooling — Vanta, Drata, Secureframe, Sprinto, Thoropass, or an open-source stack — at $15K-$75K annually depending on scope. Second, penetration testing, required by most SOC 2 auditors and reasonable ISO 27001 bodies, at $10K-$30K per test.
Third, remediation. Expect $20K-$80K to close control gaps — MFA rollout, endpoint management, vendor inventory, privacy review, logging and alerting upgrades. Fourth, internal time. Budget 0.5-1.0 full-time engineers and a security lead across the 6-15 month program. Ignore this and the program slips.
| Cost component | SOC 2 Type II (USD) | ISO 27001 initial (USD) |
| Audit fees | $15,000 – $30,000 | $25,000 – $60,000 |
| GRC tooling (annual) | $15,000 – $40,000 | $20,000 – $50,000 |
| Penetration testing | $10,000 – $20,000 | $10,000 – $30,000 |
| Remediation + consulting | $10,000 – $40,000 | $20,000 – $80,000 |
| Internal staff time | ~0.5-1.0 FTE for 6-15 mo | ~0.75-1.25 FTE for 6-15 mo |
| Annual continuation | Type II renewal $20K-$50K | Surveillance $10K-$20K/yr |
SOC 2 vs ISO 27001: Which Do Your Customers Actually Want?
SOC 2 vs ISO 27001 customer expectations split by geography and buyer type. US enterprise procurement expects SOC 2 Type II as a hard gate. EU, UK, and APAC enterprises expect ISO 27001.
Regulated industries — financial services, healthcare, federal contractors — increasingly expect both plus sector-specific frameworks.
SOC 2 vs ISO 27001: US SaaS Buyer Expectations
US enterprise procurement runs on SOC 2 Type II. Fortune 500 vendor risk management teams reference SOC 2 in security questionnaires, contract schedules, and InfoSec addenda.
The SIG (Standardized Information Gathering) and CAIQ questionnaires both map to SOC 2 evidence. A current Type II report shortens how to manage third party risk reviews dramatically.
Financial services buyers layer additional expectations on top of SOC 2. Banks cite FFIEC guidance, NYDFS 23 NYCRR 500 for New York-regulated entities, and OCC model risk rules. Healthcare buyers expect HIPAA mappings. Federal contractors need CMMC 2.0 or FedRAMP evidence in addition to SOC 2.
SOC 2 vs ISO 27001: Global and EU Buyer Expectations
EU enterprise buyers expect ISO 27001. The NIS2 Directive (effective October 2024) expanded cybersecurity obligations to essential and important entities across the EU, including their supply chains. ISO 27001 is the most common evidence baseline for NIS2 conformity. EU DORA (financial services) references ISO 27001 similarly.
UK, German, Dutch, Nordic, and APAC enterprise buyers treat ISO 27001 as the minimum. Public-sector procurement in the UK (Cyber Essentials Plus plus ISO 27001), Germany (BSI C5), and Singapore (Cyber Trust) builds on ISO 27001 assumptions. Global SaaS selling outside North America without ISO 27001 faces procurement friction that SOC 2 alone will not solve.
SOC 2 vs ISO 27001: When Customers Ask for Both
Enterprise buyers with mixed US and EU footprints increasingly ask for both. The ask is usually driven by a global compliance risk analysis team consolidating vendor evidence across regions.
Running both as one program is the efficient answer — single control library, single evidence repository, two auditors.
SOC 2 vs ISO 27001: The Decision Framework for SaaS Leaders
Figure 3. SOC 2 vs ISO 27001 control overlap — most of the work benefits both deliverables, so a joint program is the default recommendation.
SOC 2 vs ISO 27001 decision in one rule: lead with SOC 2 Type II if your revenue is US-centric and enterprise procurement is the bottleneck; lead with ISO 27001 if your revenue mix includes meaningful EU, UK, or APAC exposure or regulated industry workloads. If both are in play, run a single bundled program.
SOC 2 vs ISO 27001: When SOC 2 First Is the Right Call
Lead with SOC 2 Type II if: revenue is 80%+ US; active deals are stuck on security reviews citing SOC 2; your sales cycle is 60-120 days and you need a deliverable fast; your team is small and GRC tooling-first; you expect to add ISO 27001 later as international revenue grows.
SOC 2 Type I can land in 90 days, unblocks mid-market deals, and keeps Type II on track in parallel. Use a reputable CPA firm and a GRC platform to keep evidence collection automated. Begin the Type II observation window immediately after the Type I report is issued.
SOC 2 vs ISO 27001: When ISO 27001 First Is the Right Call
Lead with ISO 27001 if: you serve EU, UK, or APAC enterprise customers; you operate in regulated industries globally (financial services, healthcare, critical infrastructure); you want a board-visible management system rather than an audit report; you value the three-year certificate cycle over annual report renewal.
An ISO 27001-first program delivers a durable information security risk management backbone that later layers into SOC 2, FedRAMP, HITRUST, or TISAX with relatively low marginal effort. Most EU customers accept ISO 27001 in place of SOC 2; fewer US customers accept ISO 27001 in place of SOC 2.
SOC 2 vs ISO 27001: When Both in One Program Is the Right Call
Run both if: revenue mix is roughly 50/50 US and non-US; enterprise buyers on both sides require their native deliverable; your security team has bandwidth for a 12-24 month bundled program; budget supports $75K-$150K across the engagement. Expect 65-90% control overlap and a unified evidence repository.
Practical bundle sequence: stand up the ISMS first to satisfy ISO 27001 Clauses 4-10; map Trust Services Criteria onto Annex A for SOC 2 evidence; run SOC 2 Type I at month 6; run ISO 27001 Stage 1 in parallel; SOC 2 Type II Observation + ISO 27001 Stage 2 close within months 12-18.
SOC 2 vs ISO 27001: Frequently Asked Questions
Is SOC 2 vs ISO 27001 an either-or choice?
No. SOC 2 vs ISO 27001 is not mutually exclusive. Most mature SaaS companies selling globally end up with both.
The real question is sequence — which one first — and whether you bundle them into a single program. Bundled programs save 20-35% compared to two independent engagements.
SOC 2 vs ISO 27001: Does SOC 2 Type II satisfy ISO 27001?
No. SOC 2 Type II is an attestation report against Trust Services Criteria. ISO 27001 is a certification against a management-system standard plus 93 Annex A controls.
The evidence overlaps heavily (65-90%) but the deliverables differ. Customers who require ISO 27001 will not accept SOC 2 Type II in its place.
SOC 2 vs ISO 27001: Which is easier to implement first?
SOC 2 Type II is typically faster to first deliverable — 6-9 months for well-resourced SaaS — because it does not require a formal ISMS.
ISO 27001 takes longer up front because Clauses 4-10 and the Statement of Applicability require formal documentation, but it leaves a stronger foundation for downstream certifications.
SOC 2 vs ISO 27001: How long does each certificate last?
A SOC 2 Type II report covers the observation window tested (typically 6-12 months). Customers expect annual renewal with continuous coverage.
An ISO 27001 certificate is valid for three years with annual surveillance audits. Recertification in year four is a full Stage 2 audit against any changes to scope or risk.
SOC 2 vs ISO 27001: What about cyber insurance?
US cyber insurance underwriters credit both SOC 2 Type II and ISO 27001 at renewal. Underwriters increasingly ask for specific controls evidence — MFA coverage, EDR deployment, incident response tabletop frequency, backup recoverability — rather than the report alone.
Underwriting discounts are typical but modest; the main benefit is avoiding non-renewal.
SOC 2 vs ISO 27001: How does the SEC cybersecurity rule affect this decision?
The SEC cybersecurity disclosure rule (effective 2023-2024) requires registrants to disclose material cyber incidents on Form 8-K within four business days and to describe cyber risk management and governance in Form 10-K. SOC 2 and ISO 27001 do not directly satisfy the SEC rule but they are the most common evidence that management uses to substantiate risk-management disclosures.
SOC 2 vs ISO 27001: Do we still need ISO 27001 if we have NIST CSF 2.0?
Depends on who is asking. NIST CSF 2.0 is a framework, not a certification — there is no third-party audit or certificate. EU customers will still ask for ISO 27001.
Regulated US buyers (banks, federal contractors) accept a combination of NIST CSF 2.0, SOC 2, and sector frameworks. Treat NIST CSF 2.0 as the operating backbone and SOC 2/ISO 27001 as the attestable deliverables.
SOC 2 vs ISO 27001: Common Pitfalls During Certification
| Pitfall | Root Cause | Remedy |
| Treating SOC 2 Type I as the finish line | Sales team celebrates the first report and deprioritizes Type II | Start the Type II observation window the day Type I is issued; treat Type I as the checkpoint it is |
| Over-scoping Trust Services Categories | Defaulting to Security + Availability + Confidentiality + Processing Integrity + Privacy | Scope only what contractual commitments require; drop Processing Integrity and Privacy unless explicitly in scope |
| Writing ISO 27001 ISMS docs for the auditor, not the business | Policy generator output copied into the repository | Rewrite policies to match operating reality; auditors catch theater fast |
| Missing the 2013-to-2022 transition | Organizations still referencing ISO 27001:2013 after 31 October 2025 | Check certificate version; rerun the gap against Annex A 93-control theme structure |
| Running SOC 2 and ISO 27001 as separate programs | Two teams, two GRC tools, two evidence repositories | One program, one control library mapped to both, one evidence repository |
| Ignoring the penetration test requirement | Budgeting only the audit fees | Book the pen test 30-60 days before fieldwork; remediate before Stage 2 / Type II close |
| Under-resourcing the internal lead | Assuming GRC tooling replaces the security lead | Assign a named owner with board-level escalation authority; tools enable, they do not replace ownership |
SOC 2 vs ISO 27001: Looking Ahead to 2026 and 2027
Through the rest of 2026, three forces will reshape SOC 2 vs ISO 27001 decisions for US SaaS. The SEC cybersecurity disclosure rule is pulling board-level attention to documented risk-management.
The FTC Safeguards Rule amendments are extending financial-institution expectations to ancillary service providers. The EU NIS2 Directive is pressuring EU-selling SaaS toward ISO 27001.
Tooling maturity is the second force. GRC platforms — Vanta, Drata, Secureframe, Sprinto, Thoropass, OneTrust — have collapsed the evidence-collection burden that historically gated first-time SOC 2 and ISO 27001 programs.
Expect platform consolidation and deeper multi-framework automation across 2026, with AI-assisted control mapping reaching usable quality by mid-year.
The third force is sector-specific overlays. HITRUST r2 is gaining share in US healthcare. FedRAMP is pushing authorization through FedRAMP 20x and the OSCAL format. CMMC 2.0 is progressing through phased DoD contract implementation.
Layering these on a SOC 2 + ISO 27001 base via an integrated risk management approach is the scalable path.
Finally, watch how AI-specific frameworks interact with SOC 2 vs ISO 27001. NIST AI RMF, ISO/IEC 42001, and the EU AI Act all reference information security controls that SOC 2 and ISO 27001 already cover.
Expect cross-framework mappings to become procurement standard by 2027 — a single control library serving four or five deliverables simultaneously.
Ready to Plan Your SOC 2 vs ISO 27001 Program?
At riskpublishing.com we help US SaaS companies design, sequence, and deliver SOC 2 and ISO 27001 programs grounded in ISO 31000, NIST CSF 2.0, and a cyber security risk management framework that scales.
Practical deliverables: scope decision, control library, evidence repository, auditor selection, and a board-ready attestation/certification roadmap.
Explore our cybersecurity advisory services — or contact us to scope a SOC 2 vs ISO 27001 readiness review tailored to your buyer mix, team size, and compliance roadmap.
SOC 2 vs ISO 27001: Authoritative References
1. AICPA — 2017 Trust Services Criteria with Revised Points of Focus (2022)
2. AICPA-CIMA — SOC 2 Reporting
3. ISO/IEC 27001:2022 — Information security management systems
4. ISO/IEC 27002:2022 — Information security controls
5. NIST Cybersecurity Framework 2.0
6. NIST SP 800-53 Rev. 5 — Security and Privacy Controls
7. SEC — Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (2023)
9. FTC Safeguards Rule — What Your Business Needs to Know
10. ANAB — US ISO 27001 Accreditation
11. UKAS — UK Accreditation Service
12. CIS Controls v8
13. Cloud Security Alliance — CAIQ and CCM
14. IAF — International Accreditation Forum
Related Cybersecurity, Compliance, and Audit Resources
SOC 2 and ISO 27001 are two pillars in a much wider compliance and security tooling landscape. The companion guides below dig into the certifications, software platforms, and sector-specific obligations that often run alongside a SOC 2 or ISO 27001 programme.
SOC 2 Implementation Deep Dives
- SOC 2 Audit Cost: Complete Pricing Breakdown for 2025-2026 details what Type I and Type II audits actually cost across firm sizes and trust service criteria.
- SOC 2 Compliance Automation: Platform Comparison compares the leading automation tools that streamline evidence collection and continuous monitoring.
Certifications, Roles, and Sector Cybersecurity
- CISSP vs CISM vs CRISC: Comparing Cybersecurity and Risk Certifications helps practitioners choose between the three major security and risk certifications.
- Healthcare Cybersecurity: Critical Stats, Trends, and Risk Mitigation for 2026 covers HIPAA-aligned controls, breach trends, and clinical risk mitigation.
GRC, Privacy, and Third-Party Risk Tooling
- Best Third-Party Risk Management (TPRM) Software Compared: Top Platforms for 2026 reviews vendor-risk platforms that map to SOC 2 CC9 and ISO Annex A.5.19.
- Top Policy Management Software Compared evaluates platforms for managing the policy library that underpins both SOC 2 and ISO 27001.
- Best SOX Compliance Software Compared looks at tooling for ITGC and financial reporting controls that often overlap with SOC 2 scope.
- Top Data Privacy Management Software Compared (GDPR vs CCPA) compares privacy platforms for organisations handling personal data alongside security frameworks.
- Top Sanctions Screening Software Compared reviews tools used by financial institutions and exporters to satisfy AML and sanctions controls.
- Top Fraud Detection & Prevention Software Compared compares platforms that complement SOC 2 CC7 controls around anomaly detection.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.