# Framework Selection Decision Tree (SOC 2 vs PCI DSS vs ISO 27001)

Start here:

1) Do you store/process/transmit payment card data?
- Yes → Start with **PCI DSS** (or confirm with your payment flows).
- No → Go to #2

2) Are you a SaaS company selling to US-based enterprise buyers?
- Yes → Start with **SOC 2**.
- No → Go to #3

3) Are you pursuing a global security management system certification (often for procurement)?
- Yes → Start with **ISO 27001**.
- No → SOC 2 is usually the fastest “trust credential” for SaaS.

Evidence overlap notes
- Strong vulnerability management evidence helps all three.
- Access control, change management, incident response overlap heavily.

Bundle makes sense when
- You already need PCI and want SOC 2 for enterprise procurement.
- You want ISO 27001 as the long-term management system and SOC 2 as the near-term sales enabler.