SOC 2 Type II and ISO 27001 are the two certifications US CTOs require from nearshore development partners. Only 75-150 LATAM firms hold a current SOC 2 Type II attestation.
Per Vanta’s 2024 State of Trust Report, 84% of companies were asked to prove security compliance during sales cycles. Deals closed 30% faster when vendors held a current SOC 2 attestation. A 2023 Deloitte third-party risk management report found that inadequate vendor oversight is the leading cause of audit failures. For CTOs evaluating nearshore partners in Latin America, the question is not whether a vendor claims compliance. The question is whether its certifications cover the people, infrastructure, and processes touching your code and data.
This guide delivers a 12-point evidence checklist to move compliance due diligence from certificate-scanning to operational verification. It covers what each framework certifies, how to read the documents that matter, and the gaps most CTOs find after signing.
What Do SOC 2 Type II and ISO 27001 Actually Certify?
SOC 2 Type II and ISO 27001 solve different problems. Conflating them creates blind spots. SOC 2 Type II is an attestation issued by a licensed CPA firm. It evaluates whether controls operated effectively over a 6-12 month review period. The final report runs 50-100+ pages. It contains the auditor’s opinion, management’s assertion, a system description, and test results including exceptions. ISO 27001 is a certification issued by an accredited body (BSI Group, SGS, PECB). It confirms the organization has implemented an Information Security Management System (ISMS). Annex A provides 93 potential controls. The partner documents which controls apply in a Statement of Applicability (SoA).
| Feature | SOC 2 Type II | ISO 27001 |
|---|---|---|
| Nature | Attestation on control effectiveness over time | Certification of a management system |
| Issuer | Licensed CPA firm (A-LIGN, Schellman, Coalfire, Moss Adams) | Accredited certification body (BSI, SGS, PECB) |
| Audience | North America; detailed report, not a shareable certificate | Globally recognized; results in a shareable certificate |
| Focus | “Did you do what you said over the last 6-12 months?” | “Do you have a system to identify and treat risks?” |
| Weakness alone | Backward-looking; controls can degrade after audit | Forward-looking; operational effectiveness is assumed, not proven |
What Do the Five Trust Services Criteria Cover?
Only Security (Common Criteria) is mandatory in a SOC 2 report. Every other criterion is a deliberate scope decision.
| Trust Services Criterion | What It Covers | Red Flag if Absent |
|---|---|---|
| Security (mandatory) | Access management, intrusion detection, firewalls | No SOC 2 report exists |
| Availability | Disaster recovery, uptime, incident handling | Partner cannot back uptime SLAs |
| Processing Integrity | Complete, accurate, authorized processing | Unaudited data accuracy in financial or transactional systems |
| Confidentiality | Encryption, access controls, data handling | No audited protection for your IP and source code |
| Privacy | PII lifecycle management per AICPA GAPP | Higher exposure under CCPA, LGPD, or GDPR |
Many nearshore firms pursue only Security and Confidentiality. They skip Availability. This is a red flag for any team relying on uptime SLAs or CI/CD pipeline continuity.
Why Does Audit Timing Determine Real Assurance?
A SOC 2 Type I attests that controls exist at a single point in time. Type II proves they operated effectively over 6-12 months. ISO 27001 follows a parallel track. Stage 1 is a documentation review. Stage 2 is the operational audit. Certification is valid for three years with mandatory annual surveillance audits. A freshly issued ISO 27001 certificate with no surveillance audit history means the system has never been tested for sustained operation.
First-time SOC 2 Type II costs $30,000-$100,000 and takes 9-15 months. ISO 27001 initial certification costs $25,000-$80,000 over 6-12 months. Annual surveillance audits add $10,000-$25,000. A partner maintaining both frameworks commits $55,000-$180,000 upfront. This is a financial signal of seriousness.
Reject any partner presenting only a SOC 2 Type I or a first-year ISO 27001 certificate without at least one completed surveillance audit. These represent intent, not proven security.
SOC 2 and ISO 27001 certification cost ranges: what vendors invest in upfront audits and ongoing surveillance to maintain dual compliance.
Why Does Nearshore Security Compliance Require Both Frameworks?
An estimated 200-400 nearshore development firms across Latin America hold ISO 27001. Only 75-150 hold SOC 2 Type II. Hundreds of partners can demonstrate a governance system on paper but have never submitted their operational controls to CPA-firm scrutiny.
SOC 2 alone has one structural weakness. It is backward-looking. A partner can pass a Type II audit covering January through December and then dismantle security operations in January of the following year. ISO 27001 fills this gap. Its ISMS mandates risk assessment cycles, management reviews, and corrective action processes. ISO 27001 alone has the opposite weakness. It confirms a control objective exists but does not require the assessor to pull six months of access logs or verify MFA enforcement. SOC 2 Type II subjects that governance framework to independent, evidence-based verification on a recurring cycle.
A 2023 Everest Group analysis placed top-tier LATAM providers on par with Eastern European counterparts in security maturity. The gap with the most mature Indian providers is closing but only at the top tier, not across the market. Named firms holding both certifications include Encora (Mexico, Colombia, Costa Rica, Peru, Brazil) and Perficient (formerly PSL, Colombia). Gorilla Logic (Costa Rica, Colombia, Mexico) achieved SOC 2 Type II in January 2023. Azumo (Argentina, Colombia) followed in 2023. Brazil and Mexico lead the region in SOC 2 adoption, followed by Colombia and Costa Rica.
For more on how to structure a technical evaluation of nearshore partners, see our nearshore development partner evaluation checklist.
LATAM nearshore SOC 2 and ISO 27001 compliance snapshot: how few certified vendors exist and why demand for dual certification is rising.
What Does It Mean When a Nearshore Partner Has Only One Certification?
A partner holding ISO 27001 without SOC 2 has proven that a risk management framework exists. Policies are documented. A risk register is maintained. Internal audits run. What it has not proven: whether the access control policy prevented unauthorized repository access last Tuesday. Whether encryption was enforced on every database during the past nine months. Whether the incident response plan executed within its stated SLA. SOC 2 Type II answers those questions. It pulls access logs, reviews change management tickets, tests encryption configurations, and interviews engineers.
A partner holding SOC 2 without ISO 27001 can pass an audit cycle and then regress. Controls degrade without a governance system enforcing their maintenance. Teams skip code reviews, grant overly permissive access, and defer patching. No external mechanism catches the drift until the next audit begins.
How Do You Evaluate a Partner That Says Certification Is “In Progress”?
If a partner cannot produce at least a completed SOC 2 Type I report or an ISO 27001 Stage 1 completion letter, they are pre-compliance, not in-progress. A partner genuinely pursuing certification has spent $10,000-$30,000 on readiness assessments and engaged a named auditor. A nearshore partner holding both certifications typically charges a 15%-25% premium over non-certified competitors. For a five-engineer team, that translates to $75,000-$125,000 per year. A partner quoting rates well below certified competitors while claiming certification is imminent has not absorbed these costs.
| Acceptable Interim Evidence | Stalling Signal |
|---|---|
| SOC 2 Type I completed; Type II underway with named CPA firm | “We plan to start next quarter” with no named auditor |
| ISO 27001 Stage 1 letter from accredited body; Stage 2 scheduled | “We’re ISO 27001 aligned” without formal audit engagement |
| Active compliance platform (Vanta, Drata) with evidence collection underway | “We use [tool]” but cannot show current control status |
| Named compliance lead who can articulate gaps and milestones | No dedicated compliance function or accountability point |
| Willing to accept contractual certification deadline with financial penalty | Refuses to tie milestones to contractual terms |
What Does the 12-Point Compliance Evidence Checklist Cover?
Requesting compliance evidence is standard procurement practice. Any partner treating it as unusual is telling you something about their security posture before you review a single document. Each item below specifies the document to request and what a credible response looks like. Red flags that should halt evaluation are listed. The operational verification step confirms paperwork reflects reality.
What Should You Verify in a SOC 2 Report?
Request the complete report, not an executive summary or opinion letter alone. The observation period should have ended within 12 months. The CPA firm should be reputable: A-LIGN, Schellman, Coalfire, Moss Adams, or a firm with an established SOC practice. Section III (system description) must explicitly cover the services you are purchasing. This includes the development environment and the personnel policies governing engineers on your code. Section IV (Tests of Controls) should show few or no exceptions. Where exceptions exist, each must include a management response with a specific root cause, remediation action, and completion date.
Red flags: the partner offers only the opinion letter and claims the full report is confidential. SOC 2 reports are routinely shared under NDA. Refusal signals the report contains findings the partner does not want you to see. An “adverse” or “disclaimer” opinion is disqualifying. Numerous significant exceptions around access management, encryption, or change management indicate systemic failures.
Verification step: open Section IV and count exceptions. For each, read the management response. Locate the Complementary User Entity Controls (CUECs). These are controls the partner assumes your organization operates. If you cannot fulfill a CUEC, the assurance model has a hole. Share them with your security team before signing. If the report ended more than three months ago, request a bridge letter.
What Artifacts Prove ISO 27001 Is Operational?
Request: the certificate, the full SoA, the most recent internal audit report, the corrective action log, and evidence of at least one management review meeting in the current certification cycle.
The certificate must be from an accredited body traceable to an International Accreditation Forum (IAF) member. Verify at iafcertsearch.org. The ISMS scope statement must name software development operations and the specific delivery center(s) where your engineers work. The SoA must map all 93 Annex A controls with substantive exclusion rationale. An exclusion of A.8.25 (Secure Development Life Cycle) in a software firm is disqualifying.
Red flags: no SoA available; certificate from a non-accredited body; scope so narrow it excludes the development team; corrective action log showing nonconformities open beyond 120 days.
Verification step: read the ISMS scope statement word by word. If it says “headquarters office in Medellin” and your developers work remotely from Bogota, the certificate does not cover your engagement. Request the risk register (required under ISO 27001 Clause 6.1.2). A mature partner’s risk register feeds directly into control selection and maps logically to controls tested in their SOC 2 report.
What Penetration Testing Evidence Should You Request?
Request the executive summary of the most recent external pentest and vulnerability management documentation covering at least the last two quarters.
Annual external pentests should be conducted by an independent firm: Bishop Fox, NCC Group, NetSPI, or a CREST-accredited provider. All critical findings should be remediated within 7 days. High-severity findings within 30 days. Vulnerability scanning should run at least weekly via Tenable, Qualys, or Snyk.
Red flags: automated scans (Nessus output) presented as “penetration tests.” Self-testing by the partner’s own security team. Critical findings marked “risk accepted” without a leadership-approved rationale.
Verification step: ask for the remediation timeline on the most recent critical finding. “When was it discovered, when was remediation completed, and what was the fix?” The answer tests whether the partner tracks remediation operationally or only notices findings when audit season arrives.
What Access Control and IAM Evidence Is Required?
Request documented RBAC and Principle of Least Privilege policies plus IAM configuration evidence.
MFA must be enforced without exception on all critical systems: cloud consoles, code repositories, VPN, and CI/CD platforms. Automated deprovisioning should trigger same-day when a developer rolls off. Deloitte’s 2023 third-party risk management report found that developers at outsourcing partners frequently hold overly broad access privileges that persist well beyond project completion. Client environments must be segregated at the infrastructure level (separate AWS accounts or GCP projects).
Red flags: shared admin accounts, standing production access, MFA optional or partial, no documented offboarding process.
Verification step: ask for a live walkthrough of IAM configurations. Request evidence of the most recent quarterly access review. Ask the specific question: “When a developer rolls off our project, how quickly is their access revoked, and what system triggers it?” Best-in-class partners use SCIM integration for same-day deprovisioning. For more detail on vetting controls during developer selection, see our guide on how nearshore firms vet developers.
What SIEM, MDM, and Incident Response Documentation Matters?
SIEM and endpoint protection: Require a modern SIEM or XDR platform (CrowdStrike Falcon, SentinelOne, Microsoft Sentinel, Splunk) aggregating logs from identity providers, cloud infrastructure, and endpoints. Log retention: 90 days minimum for investigation, 365 days for compliance. EDR on 100% of developer workstations.
Verification step: ask for mean time to detect (MTTD) and mean time to respond (MTTR). A partner answering with specific metrics operates a mature capability. A partner deferring to policy documents has tooling without operational discipline.
Device management (MDM): All developer laptops must be company-owned and managed via MDM (Jamf, Kandji, Microsoft Intune). Policies must enforce disk encryption, OS patching, screen lock, and remote wipe. BYOD must be confined to managed VDI with no local data storage.
Incident response: A documented IR plan tested via tabletop exercise within the last 12 months. Clear notification SLAs in the MSA: P1 (confirmed breach involving your data) within 1 hour, P2 (suspected incident) within 4 hours.
Verification step for IR: ask for the date, scenario, and after-action report of the most recent tabletop exercise. Confirm notification SLAs appear as contractual obligations with defined consequences, not in an internal policy document the partner can modify unilaterally.
What Data Protection and Subcontractor Disclosures Are Non-Negotiable?
Background checks: Use reputable third-party vendors (HireRight, Sterling, TusDatos in Colombia). Checks should cover criminal records, education, and employment verification. The partner must be transparent about country-specific legal limitations. Background checks must complete before a developer is granted access to your systems.
Cyber insurance: Active Cyber Liability and E&O policy with limits appropriate for contract size. $5M-$10M coverage is common for mid-market vendors. Review exclusions: a ransomware exclusion negates coverage for the most common incident type.
Data processing agreements: DPA aligned to applicable regulations (GDPR, LGPD, CCPA/CPRA) with Standard Contractual Clauses where required. None of the major LATAM countries mandate local data residency for general commercial data. Data can be stored in the US in AWS, GCP, or Azure environments. Key LATAM laws: Brazil’s LGPD is modeled on GDPR and imposes requirements on Brazilian data subjects. Colombia’s Law 1581 requires explicit consent and SIC database registration. Argentina’s PDPA Law 25.326 holds EU adequacy recognition. Mexico’s LFPDPPP requires a privacy notice and INAI breach reporting. Confirm specific cloud regions where data will reside and verify breach notification timelines match your regulatory obligations.
Security awareness training: Annual training with completion rates above 95%. Phishing simulations with measurable improvement. Developer-specific secure coding training covering OWASP Top 10. Verification: during developer interviews, ask basic security questions. Inability to articulate their role in the security program is a red flag.
Subcontractor disclosure: Deloitte’s 2023 report identified failure to flow down security requirements contractually as among the most common audit failures. Request full transparency on any subcontracted personnel. Subcontractors must operate under equivalent controls: their own SOC 2/ISO 27001, or a binding security addendum. Include a contractual right-to-audit clause covering subcontractors. Many nearshore firms quietly subcontract. The subcontractor’s environment may be entirely unaudited.
What Compliance Gaps Do CTOs Find After Signing With a Nearshore Partner?
Certifications create a dangerous illusion when buyers stop at the certificate and never verify what the audit actually covered. The three gaps below surface repeatedly in post-signature security reviews and vendor risk reassessments.
How Can a Certification Scope Exclude Your Actual Developers?
This is the most common and dangerous post-signature gap. The ISO 27001 or SOC 2 scope covers the partner’s headquarters or a specific delivery center, but the developers assigned to your project work remotely or from an uncertified office.
A partner certifies its Guadalajara, Mexico office. It assigns your project eight engineers. Three work from that office. Two work from home in Monterrey. One works from a coworking space in Mexico City. One relocated to Bogota and never updated HR. One is a subcontractor from an intermediary firm in Buenos Aires. Five of eight developers operate entirely outside the certified scope. Controls verified by the auditor (physical access, on-premises SIEM sensors, MDM enforcement via the office network) do not apply to environments where your code is actually being written and pushed.
Read the ISMS scope statement before signing. Look for three elements. First: organizational boundaries. Does the scope name specific legal entities? Multi-country LATAM operations often use a holding company in Uruguay with operating entities in Colombia and Mexico. Confirm the entity employing your developers is included. Second: physical boundaries. Does the scope list specific office addresses, or does it use language like “all locations where services are delivered, including remote work environments”? A named address means remote developers fall outside scope. Third: technology boundaries. Does the scope cover the cloud accounts and CI/CD pipelines used for client engagements, or only corporate IT?
Read the SOC 2 system description (Section III) for four terms: “remote,” “work from home,” “subcontractor,” and “third party.” If none appear, the system description likely excludes distributed work environments. Check the infrastructure subsection for the specific platforms and hosting environments in scope. Check the people subsection for which personnel categories the controls apply to.
A 2023 survey by the Colombian IT industry association found that 35%-40% of engineers staffed on outsourced projects were engaged through intermediary firms. Subcontracting is pervasive in LATAM nearshore delivery. Require a written representation listing every personnel category that will touch your project: full-time employees, contractors, and subcontractors. Confirm each is covered by the certified scope or subject to documented compensating controls.
What Signals Indicate Security Theater Rather Than Real Controls?
Policies that are templated carry no meaningful assurance. Generic policy language, missing training completion records, and no tabletop exercise history are all concrete signals of performative compliance. Developers unable to articulate their role in the security program confirm it.
During developer interviews, ask: “What is your process when you receive a suspicious email?” and “How do you handle secrets in code?” These questions take under two minutes. A developer who can answer them has been trained. A developer who cannot has been given a compliance logo, not a compliance program.
A 2024 Coalfire analysis noted that 30% of SOC 2 report scope disputes during re-audits involved cloud infrastructure provisioned after the prior observation period ended: accounts and projects that were operational and serving clients but had never been included in the system description. During technical due diligence, ask the partner to identify the exact AWS account ID, GCP project ID, or Azure subscription ID that will host your workloads. Then open the SOC 2 system description and confirm that identifier appears.
Compliance drift between audit cycles is structural, not exceptional. A SOC 2 Type II report covers a 12-month observation period. The next period may not begin immediately. Some partners run a gap of 1-3 months between cycles. During report issuance delays and inter-cycle gaps, 3-5 months pass with no external oversight. During that window, MFA gets disabled to resolve an authentication issue and never re-enabled. A logging pipeline fails silently. An access review gets deferred from Q2 to Q3 to “next quarter.” Require the partner to grant read-only dashboard access to their compliance automation platform (Vanta, Drata, Secureframe). These platforms track control status in real time. A partner willing to share continuous monitoring data has nothing to hide between audit cycles.
Frequently Asked Questions About SOC 2 ISO 27001 Nearshore Compliance
CTOs evaluating nearshore security compliance most often ask these questions during vendor selection.
Do All Nearshore LATAM Firms Hold SOC 2 or ISO 27001?
No. An estimated 75-150 LATAM nearshore firms hold a current SOC 2 Type II attestation. Between 200-400 hold ISO 27001. The median nearshore firm in the region holds neither. Dual certification is a genuine differentiator, not a baseline expectation. Brazil and Mexico lead in SOC 2 adoption. Colombia and Costa Rica follow.
Is ISO 27001 Enough Without SOC 2 Type II?
ISO 27001 alone is insufficient for US enterprise buyers. It proves a governance system exists but does not verify whether controls operated effectively during a specific time period. SOC 2 Type II provides that evidence through CPA-firm testing of actual control operations over 6-12 months. ISO 27001 without SOC 2 means the partner’s access logs, encryption configurations, and incident response were never independently tested.
What Happens to My SOC 2 Audit If My Nearshore Partner Is Not Certified?
Your own SOC 2 auditor will ask for a list of all sub-processors. If your nearshore development partner is a sub-processor and cannot provide their own SOC 2 report, you will likely receive a finding for failure to perform adequate vendor risk assessment. This can jeopardize your entire audit. A pre-certified partner resolves this by providing the auditor with a pass-through attestation, provided the partner’s scope covers the services you consume.
How Do Background Checks Work in LATAM Countries?
Background check requirements vary by country. In Colombia, Brazil, Argentina, and Mexico, reputable providers (HireRight, Sterling, TusDatos) run criminal record searches, education verification, and employment verification. Credit history checks face legal restrictions in most LATAM jurisdictions. The partner must complete background checks before granting developers access to your systems, not after onboarding. Ask for a sample redacted report to confirm scope.
What Is a BAA and When Do Nearshore Developers Need One?
A Business Associate Agreement (BAA) is a legal prerequisite for any engagement involving Protected Health Information (PHI) under HIPAA. Any nearshore partner working on healthcare-adjacent systems must sign a BAA. The partner’s SOC 2 report should include the Confidentiality and Availability criteria. Their ISO 27001 SoA should map to HIPAA’s Administrative, Physical, and Technical Safeguards. Their breach notification process must align to the 60-day HIPAA window. A partner who refuses to sign a BAA is disqualified from healthcare work regardless of their certifications.
How Often Should I Reassess a Nearshore Partner’s Compliance?
Reassess annually at minimum, with trigger-based re-evaluation for: a partner acquiring or being acquired, a data breach involving the partner or their sector, key compliance personnel turnover, expansion of scope (new developers, new delivery centers, new countries), and any major infrastructure migration. Build reassessment triggers and annual evidence refresh obligations into the MSA at signing. Most buyers conduct thorough initial due diligence and then never reassess until an incident forces the issue.
Ready to Evaluate a Nearshore Partner Against This Checklist?
Nearshore Business Solutions sources and vets engineers from Colombia, Mexico, Argentina, and Brazil. We screen for technical skills, English fluency, and US work style fit. Our acceptance rate is 16%.
Every placement includes a 90-day replacement guarantee. You receive pre-vetted candidates within 2-4 weeks.
Get a free compliance consultation to discuss your security requirements and receive a shortlist of pre-vetted, certified-partner-backed candidates.
