When it comes to security and privacy, I'd like to say that everybody who's in charge of privacy and security should know what they're doing to protect data and stay compliant with regulations and policies. The only problem with that is that we all get busy and as you scale, there are a large number of products and lots of things happening. Things do get missed, or dropped, or ignored, and that's just the way that we, as humans, operate. We are all fallible. One of the things to prevent that is to get an assessment done by a third party. In the security world these assessments come in all different forms. Some consultants will come in and perform an audit like a System and Organization Controls (SOC 2) audit, an ISO 27001, or even a ISO 27018, and you're basically paying them to come in and test whether you're doing what you say you are. In your terms of service and in your internal and external privacy policies you're making a statement to people about how you're securing their data. Well, do you do those things or do you just say them?

ISO 27001 is a top‐down view of security that establishes the core controls and principles of a service organization's business model regarding data management. An SOC 2 report provides an assessment of the controls that help to support that business model. ISO 27001 involves more work, but it does more to protect organizations from information security threats. The main difference between SOC 2 and ISO 27001 is that ...