Why IT companies lose enterprise deals before the first meet

ISO Certification・7 MINS READ

Why IT companies lose enterprise deals before the first technical meeting

Enterprise procurement runs a compliance verification before it evaluates technical capability or price. Most IT companies discover this at the worst possible moment: when a warm deal stalls because they lack ISO 27001, SOC 2, or a signed GDPR Data Processing Agreement.
The certifications that block deals are determined by which industry your target clients operate in, not which industry you operate in. This article explains what procurement actually checks, maps the requirements by client industry, covers real costs, and gives a sequencing framework for founders working through this one certification at a time.

In this article

The compliance gate: what actually happens when a deal stalls

By the time most IT companies start thinking seriously about certifications, they are already behind a deal. The introduction to the banking client or the healthcare system was warm. The technical conversations went well. Then procurement sent a vendor qualification questionnaire, and questions appeared about ISO 27001, SOC 2 reports, data processing agreements, and subprocessor lists. The certification process takes 9 to 18 months. The procurement window does not wait.
What follows is not a negotiation about whether the requirements are reasonable. Enterprise clients in regulated industries carry direct regulatory liability for the vendors they work with. A bank that processes customer data through an uncertified IT vendor is exposed to supervisory action. A hospital system that signs an MSA with a vendor whose architecture has not been validated for data protection is exposed to breach liability. Their procurement process exists to manage that exposure, and it operates on documented evidence rather than personal trust or reputation.

“They had built a strong product, came to the hospital with confidence, and the solution genuinely solved the problem. Then procurement ran the security audit and found the platform was not compliant. They had to rebuild significant parts of the architecture before the deal could proceed. By then the procurement window had passed.”
Andrii Svyrydov, Co-Founder & CEO, CorpSoft

What procurement teams actually verify beyond the certificate

A certification is the entry requirement, not the complete answer. Enterprise procurement in banking and healthcare runs a structured review that goes several layers deeper than asking whether you are certified.

The vendor security questionnaire

Most enterprise clients issue a security questionnaire as part of vendor onboarding. These range from 30 questions at smaller organisations to 200 or more at large financial institutions, using frameworks like SIG (Standardized Information Gathering) or CAIQ (Cloud Security Alliance). With ISO 27001 in place, most of the documentation needed to answer these already exists; without it, answering a single 200-question questionnaire takes a senior technical person 20 to 40 hours. Multiply that by your active pipeline and the cost of not being certified starts to become visible before you calculate a single lost deal.

The Data Processing Agreement

For any engagement involving EU personal data, enterprise legal teams require a signed GDPR-compliant Data Processing Agreement before any contract moves forward. The DPA specifies what data you process, the legal basis, where it is stored, how long it is retained, what security measures protect it, and what happens when there is a breach. Most enterprise buyers present their own DPA template. You need a reviewed counter-template and a clear process for negotiating the standard clauses around sub-processors and data transfers. Without this document, the contract cannot execute regardless of anything else.

Evidence that controls operate in practice

The certificate confirms your ISMS was audited. Sophisticated buyers also want evidence that it runs. They may request your most recent penetration test report, your access control policy, your incident response playbook, security training completion records, or recent internal audit findings. The certificate and the supporting documentation answer different questions. The first says your system was built correctly. The second says it is actually being maintained.

Third-party and subprocessor review

Enterprise clients in regulated industries review the compliance posture of every tool or service you use that touches their data. An uncertified AI API, a cloud service without the right agreements, a logging tool that sends data to a third country: any of these can stall a contract even when your own certifications are in order. A documented and current subprocessor list, with compliance status for each, is now standard in enterprise onboarding and should be ready before any qualification process begins.

ISO 27001 and SOC 2: the two standards that block the most deals

ISO 27001: certifying the management system

ISO 27001 does not audit individual security tools or configurations. It certifies that you have built, documented, and are operating an Information Security Management System: a risk-driven governance approach covering your people, processes, and technology. The current version, ISO 27001:2022, covers 93 controls across four themes. The audit is conducted by an accredited certification body and results in a certificate valid for three years, with annual surveillance audits in between.
The implementation process surfaces something founders rarely anticipate: building the ISMS requires documenting the security policies, risk assessments, vendor oversight processes, and incident response procedures that most growing IT companies have never formalised. That documentation is exactly what enterprise clients ask for in qualification questionnaires. Companies that treat implementation as operational improvement rather than a compliance checkbox finish faster and produce certifications that hold up under follow-up scrutiny.

"The vendors who pass cleanly are the ones where every policy is backed by evidence from real operations access logs, training records, quarterly reviews. Vendors who need remediation rounds typically built documentation on a deadline without embedding the controls into daily practice."
Kyrylo Proskurnya, Co-founder, Baltum

SOC 2 Type II: proving the controls work

SOC 2 is structurally different from ISO 27001. It is an attestation report produced by a licensed CPA firm over an audit period of 6 to 12 months. The output is a confidential document, shared only under NDA. US enterprise procurement treats Type II as the vendor security standard, and it is not accepted as a substitute for ISO 27001 in European RFPs, nor the reverse.
The reason to build ISO 27001 first: the two standards share approximately 80% of their control requirements. Risk assessments, access policies, incident response, change management, and vendor oversight are core to both. If ISO 27001 is already in place, most of the SOC 2 work is done.
For IT companies with mixed pipelines: if your next 18 months are primarily European deals, start with ISO 27001 and GDPR compliance. If active US enterprise deals are in motion, add SOC 2 Type I as an interim signal while your Type II audit period accumulates. The sequencing logic in section 8 covers this in more detail.

GDPR, NIS2, and DORA: the regulatory layer EU clients enforce

These three are not certifications to pursue. They are legal obligations that European enterprise clients verify through contracts, and they operate regardless of whether you hold ISO 27001 or SOC 2.

GDPR

applies to any IT vendor processing personal data of EU residents, regardless of headquarters location. Enterprise legal teams verify four things at contract stage: a signed Data Processing Agreement specifying what you process and under what legal basis; a Record of Processing Activities maintained and current; documented security measures proportionate to the data risk; and a 72-hour breach notification process. All four need to be ready before contract negotiations begin.
GDPR fines totalled €5.88 billion cumulative by early 2025, and enforcement has expanded beyond big tech into financial services, energy, and IT service providers.

NIS2

Effective October 2024, extends cybersecurity obligations to IT service providers in the supply chains of critical infrastructure entities. If your clients operate in banking, healthcare, energy, or digital infrastructure in the EU, NIS2 may require them to verify that you implement appropriate security measures. ISO 27001 is the clearest available evidence of this.

DORA

In force since January 2025, applies specifically to IT vendors working with EU financial clients. Banks must classify IT service providers by criticality and include specific resilience clauses under Article 30 in contracts. If you have banking, insurance, or investment management clients in the EU, review your existing MSAs against these requirements before your clients raise them in a contract renewal.

"Clients now ask specifically how you handle the security posture of the tools and APIs that touch their data. IT vendors who completed ISO 27001 before 2024 often find their documentation does not yet address these questions."
Svitlana Lianna, Lead Auditor, Baltum

The real cost: certification investment versus lost deal value

The cost most founders budget for is the invoice. The cost that actually slows certification down is internal bandwidth.
The ISO 27001 readiness phase requires 2 to 4 months of a senior technical person's sustained attention. At most IT companies between 50 and 200 employees, that attention comes from the CTO or a senior engineer who already carries a full delivery load. That is why a 12-month certification timeline routinely extends to 16 or 18 months, and why the first surveillance audit often exposes controls that existed on paper during the push to certify but were never actually operationalised.
Engaging an external specialist for the readiness phase compresses both the timeline and the total cost by eliminating the remediation cycles that come from building documentation without compliance expertise.

How to sequence, and what to do while you wait

Start where your active deals are

Your pipeline determines the right first certification, not what sounds most comprehensive.
If your next 18 months of enterprise deals are primarily in European markets, start with ISO 27001 and GDPR compliance in parallel. ISO 27001 appears as High across five EU enterprise segments; GDPR is a legal baseline for any EU personal data processing. These two together cover the widest surface area per certification cycle for a European-focused pipeline.
If active US enterprise deals are in motion, start with ISO 27001 and move immediately to SOC 2 Type I as an interim credential while the Type II audit period accumulates. US enterprise procurement treats Type II as the production standard and expects it within 18 months.
For mixed pipelines, ISO 27001 first is the correct starting point. The 80% control overlap means that work carries forward to every standard you pursue next. Industry-specific certifications like ISO 9001 for manufacturing clients or ISO 22301 for data centre and banking clients layer on after the foundation is in place.

What to do with a live deal while certification is in progress

A specific timeline is more useful to a procurement team than a vague commitment. "We are in the ISO 27001 implementation phase, with Stage 1 audit scheduled for Q3 2026 and certification expected by Q4 2026" is a credible answer. "We are working toward certification" without a milestone reads as an indefinite deferral.
A security posture document can bridge smaller or pilot engagements. This is a structured summary of your current controls, access management practices, incident response process, and vendor oversight procedures. Pair it with a reviewed DPA template, a current subprocessor register, and a signed commitment to the certification timeline. Some enterprise clients will begin a limited engagement on this basis.

A note on Eastern European IT vendors specifically

IT companies from Ukraine, Poland, Romania, and neighbouring countries face questions in enterprise procurement that go beyond the standard checklist. Enterprise clients in Western Europe and the US ask about data residency: where your servers are, which jurisdictions data passes through, and what happens to client data if operations are disrupted. These are risk management questions. They require prepared answers.
Cloud hosting with EU or US data residency is now a baseline requirement for most regulated clients, regardless of where your development team operates. "Our servers are in our office" is not a viable answer in enterprise procurement.
If your team operates in a country with recent geopolitical instability, some clients will request business continuity documentation. Having this prepared in advance, rather than assembled during a procurement conversation, makes a real difference to how vendors in this region are assessed.
ISO 27001 has particularly high signal value for CEE vendors selling into Western European markets. It provides independent third-party verification of your security posture at a time when some clients carry residual scepticism about unfamiliar vendor geographies.

FAQ

How long does ISO 27001 certification take?
Between 9 and 18 months from starting implementation to receiving the certificate. The range depends on two factors: your current security maturity and how much bandwidth your team can give the process.
A company with an external specialist guiding implementation typically finishes in 9 to 12 months. A company where the CTO handles it alongside delivery typically takes 14 to 18 months. If a live enterprise deal is in progress, communicate a specific milestone timeline to procurement rather than a general commitment.
Does ISO 27001 replace SOC 2 for US enterprise clients
No. US enterprise procurement treats SOC 2 Type II as the vendor security standard. ISO 27001 is not accepted as a substitute in US RFP processes, though some US clients will accept it as supplementary evidence while a SOC 2 audit is in progress. If your pipeline includes meaningful US enterprise deals, you need SOC 2 Type II. Building ISO 27001 first completes approximately 80% of the SOC 2 control work.
What does GDPR compliance require from an IT vendor?
Four things that enterprise legal teams verify at contract stage: a signed Data Processing Agreement specifying what you process and under what legal basis; a maintained Record of Processing Activities; documented security measures proportionate to the data you handle; and a 72-hour breach notification process. None require formal certification, but all four need to be ready before contract negotiations begin.
What should we do if a live enterprise deal is in motion and we have no ISO 27001?
Start the implementation immediately and give procurement a specific, credible timeline. Then prepare a security posture document covering your current controls in structured format, get a DPA template reviewed by legal counsel, and compile a current subprocessor list. Some enterprise clients will begin a limited or pilot engagement while certification is in progress, contingent on a formal commitment to the timeline. The deal is probably not dead. It is paused pending a credible plan.
What is DORA and does it apply to us?
DORA is EU law effective January 2025. It requires EU financial entities to classify IT service providers by criticality and include specific resilience clauses under Article 30 in contracts. If you work with banking, insurance, or investment management clients in the EU, your existing MSAs may need updating. Ask your financial services clients directly whether they have classified you, and if so, request the documentation they require.
How much does ISO 27001 certification cost for an IT company with 50 to 150 employees?
Through Baltum's programme, the total cost ranges from €5,000 to €7,400 (Standard to Advanced constructor). Annual surveillance audits are additional. For broader market context, the initial certification cycle typically ranges from $25,000 to $100,000 in Western European and US markets. Central and Eastern European companies generally land lower due to consultant and internal labour rates. Internal employee time is significant and separate: budget 2 to 4 months of a senior person's sustained attention. That cost does not appear in any vendor invoice.
** Final price varies depending on the scope of audit and consulting engagement.

Baltum

International certification and compliance network specialising in ISO and regulatory standards for technology businesses. Free scoping call available to map a cost-effective certification path for your company size and target markets.