What does KollGuard do?

KollGuard connects read-only to your GitHub repositories and databases (Postgres, Supabase), scans them for security gaps, and maps every finding to the controls auditors check. The first scan is free and takes minutes.

Which compliance frameworks does KollGuard support?

Twelve: SOC 2 and HIPAA are asserted directly from the technical checks, while ISO 27001, ISO 27701, PCI DSS, GDPR, NIST CSF, NIST 800-53 (the basis for NIST 800-171 and CMMC), HITRUST CSF, CIS Controls and the Joint Commission (JCAHO) Information Management standards are crosswalked from the same checks.

How is KollGuard different from Vanta, Drata, or Secureframe?

KollGuard actually scans your systems rather than only collecting evidence or sending questionnaires, starts free in minutes, is transparently and affordably priced, and lets vendors prove their posture without sharing source code or credentials.

Can KollGuard monitor my AI agents?

Yes. KollGuard's Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts, and LLM agents — recording every run as a tamper-evident, hash-chained heartbeat, raising health and behavior-drift alerts, and emailing a nightly digest. It maps agent activity to the same SOC 2 and HIPAA controls as the rest of your security posture, so the AI agents touching your data are continuously monitored for compliance.

Does KollGuard need access to my source code?

No. KollGuard performs read-only checks against repository and database metadata and configuration; it never copies or stores your source code, and credentials are encrypted in a vault.

How much does KollGuard cost?

The first scan is free. Paid plans are Starter at $19.89/month and Growth at $99/month, with custom Enterprise pricing. There are no quote-based contracts to get started.

Is ISO 27001 harder than SOC 2?

Different harder. ISO requires a management system (continuous risk assessment, internal audit, management review). SOC 2 requires the controls themselves. Many teams find ISO's management-system burden larger in calendar time; SOC 2's technical control burden larger in eng time.

Can I reuse evidence between them?

Yes — ~70% of evidence is reusable. Mature programs run both on a shared evidence platform.

Does KollGuard cover ISO 27001?

Yes via crosswalk from SOC 2 / HIPAA technical controls. We're explicit about it. Native ISO 27001 assertion requires a registrar-recognized ISMS — that's beyond tool scope.

Type 1 SOC 2 vs Stage 1 ISO audit?

Loosely analogous: both are readiness assessments before the full evaluation (Type 2 / Stage 2 + certification audit). The shape is similar; the methodology is different.

SOC 2 vs ISO 27001 — KollGuard

SOC 2

AICPA SSAE 18 attestation by a US CPA firm. Tests controls against the Trust Services Criteria. Type 1 = point-in-time; Type 2 = period (3-12 months).

Who needs it: US-focused SaaS
Authority: AICPA / CPA firms
Issued as: Attestation report (CPA opinion)

ISO 27001

International standard for an Information Security Management System (ISMS). Certified by accredited registrars. Three-year cert with annual surveillance audits.

Who needs it: EU / international-focused SaaS, enterprise vendors
Authority: ISO/IEC, accredited registrars (BSI, TÜV, etc.)
Issued as: Certificate

Similarities

Both demonstrate enterprise-grade security to procurement teams.
Substantial control overlap — encryption, access management, change management, incident response.
Both require risk assessment, documented policies, workforce training, and management oversight.
Both produce auditor-mappable evidence; many tools support both.

Where they differ

Axis	SOC 2	ISO 27001
Geography	Primarily US	International / EU-favored
Output	Report (with opinion)	Certificate
Framework type	Control attestation	Management system (ISMS)
Scope	Service organization	ISMS scope (you define it)
Renewal cycle	Annually (Type 2)	3-year certification + annual surveillance + 3-year recertification
Cost (auditor)	$5k–$50k	$15k–$60k initial; $5k-$15k surveillance
Customer recognition	High in US	High in EU, high in international enterprise

Which do you need?

Pick SOC 2 if…

Your customers are in the US and procurement asks for "your SOC 2."

Pick ISO 27001 if…

You sell in Europe, Asia, or to multinationals where ISO certifications are the lingua franca.

Pick both if…

You sell globally to enterprise. Many tools and auditors offer a combined SOC 2 + ISO 27001 program at modest incremental cost.

Pick SOC 2 first if…

You're US-headquartered. Faster to first sale; ISO can follow once you have customers in EU.

Frequently asked

Is ISO 27001 harder than SOC 2?: Different harder. ISO requires a management system (continuous risk assessment, internal audit, management review). SOC 2 requires the controls themselves. Many teams find ISO's management-system burden larger in calendar time; SOC 2's technical control burden larger in eng time.
Can I reuse evidence between them?: Yes — ~70% of evidence is reusable. Mature programs run both on a shared evidence platform.
Does KollGuard cover ISO 27001?: Yes via crosswalk from SOC 2 / HIPAA technical controls. We're explicit about it. Native ISO 27001 assertion requires a registrar-recognized ISMS — that's beyond tool scope.
Type 1 SOC 2 vs Stage 1 ISO audit?: Loosely analogous: both are readiness assessments before the full evaluation (Type 2 / Stage 2 + certification audit). The shape is similar; the methodology is different.

SOC 2 vs ISO 27001