ISO 27001 vs SOC 2 Type II vs TISAX — what B2B marketers actually need to ask vendors

Why this matters now

Schrems II, the EU Data Act and tightening AI regulation pushed compliance from a back-office concern into the marketing software selection process. Pick the wrong vendor and InfoSec will block the renewal — usually six weeks after the campaign goes live.

ISO 27001

The international standard for an Information Security Management System (ISMS). An ISO 27001 certificate means an external auditor verified that the vendor runs a security programme, not just owns a security policy PDF. Ask for: the current certificate, the Statement of Applicability, and the scope (sometimes only one product line is in scope).

SOC 2 Type II

A US-rooted attestation but widely accepted in Europe. Type II is the one to ask for — it covers operating effectiveness over a 6–12 month period, not a snapshot. Ask for: the latest report under NDA, and check the trust service criteria covered (Security is mandatory; Availability and Confidentiality are common).

TISAX

Automotive-industry standard, mandatory if you sell into German OEMs. Levels go from AL1 (self-assessment) to AL3 (on-site audit). If you're not in automotive, you probably don't need it — but a vendor that has it usually has very mature controls.

BSI C5

German federal cloud computing criteria. Increasingly requested by public sector and regulated industries in the DACH region.

What to ask every vendor

1. Where is the data physically stored, and who is the hosting provider?
2. Is there any US data transfer? If yes, what's the SCC / TIA position post-Schrems II?
3. Can you share the current ISO 27001 certificate and SOC 2 Type II report?
4. What is the subprocessor list, and how do you notify changes?
5. Where do AI features run, and on what model — is any customer data used for training?

The answer to (3) and (5) is where most US tools fall over. The European tools listed on this site are filtered specifically against this checklist.