INDEX
Example
Example
SHARE THIS ARTICLE
Copy link
Post on LinkedIn
Post on X
Ready to get compliant?
Whether you're getting compliant for the first time or want to make your next audit less painful, Delve gets you across the finish line faster.
SOC 2 progress bar showing 96% completed with steps labeled Tools, Evidence, Policies, Pass audit, and Ship faster.
Book a Demo
Book a Demo
Abstract gradient background blending teal, black, and orange hues.
All articles
No items found.

SOC 2 vs ISO 27001: The Differences

Posted:
Feb 6, 2026
|
Last updated:
Feb 6, 2026
Omair Manzoor
Chief Hacker at ioSENTRIX
min read

Key Takeaways

  • The primary difference between SOC 2 and ISO 27001 is that SOC 2 is an attestation report, while ISO 27001 is a global certification standard
  • SOC 2 is mostly required by North American consumers, while ISO 27001 is highly-regarded by international and European clients
  • Choosing a compliance framework should be based on customer demands, compliance timelines, and business priorities

Today, the majority of B2B companies must comply with current security standards. Truth be told, 48% of software consumers consider security the second most important thing to look into when purchasing digital products, as emphasized in Gartner’s Digital Markets 2024 Global Software Buying Trends Report. The same study also underscores the fact that 46% of buyers chose their preferred vendor because of security certifications and practices.

On the flip side, IBM’s Cost of a Data Breach Report from 2024 found that the cost of the average data breach has hit an astounding $4.88 million, highlighting the need for robust security infrastructures that are capable of protecting sensitive company information and customer data.

When you think about it, the question isn’t whether you need to seek security compliance. Rather, which kind of compliance framework should you pursue first?

At the forefront of security compliance are two standards: SOC 2 and ISO 27001. While often regarded with equal or similar respect, they serve two distinct purposes and appeal to different markets. But in essence, both of them are designed to safeguard critical information.

Defining SOC 2 and ISO 270001

SOC 2, or System and Organization Controls 2, is a voluntary security and privacy compliance standard created by the American Institute of Certified Public Accountants (AICPA) in 2010. It is aimed at service providers that collect, process, and store customer data. This makes it ideal for businesses that specialize in technology, SaaS, and cloud services.

To better understand how SOC 2 works, it is important to mention how this specific framework evaluates an organization. This is where the five Trust Services Criteria come into play. SOC 2 reports are based on key security information that has been assessed against five factors, which are:

  • Security - mandatory; protects against data attacks and unauthorized access
  • Availability - checks system accessibility and usability
  • Processing Integrity - confirms the accuracy and credibility of data processing systems
  • Confidentiality - protects sensitive information
  • Privacy - verifies that collected data is handled appropriately

To clarify, SOC 2 compliance results in an attestation report, not a certification. It contains the independent opinion provided by a licensed CPA firm that has been derived from their examination of your security infrastructure.

There are two kinds of SOC 2 reports. Type 1 is designed to examine security controls at a specific date. Meanwhile, Type 2 focuses on the efficacy of a security system over a longer period of time, which is usually three to twelve months.

On the other hand, ISO 27001 is an international standard that takes an intensive approach. It was developed by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC).

While SOC 2 focuses on security controls, ISO 27001’s framework calls for:

  • The implementation of all 93 controls described in Annex A of the standard
  • The maintenance of the controls
  • The continuous improvement of an organization’s Information Security Management System (ISMS)

These controls include cryptography, asset management, access control, organizational policies, human resource security, physical security, and many others.

ISO 27001 involves a three-year certification cycle. Once your organization passes the initial two-stage audit, it will go through annual surveillance in the first two years, concluding in a full recertification audit in the third year.

The significance of this standard cannot be overstated. In 2025, the global market for ISO 27001 certification was valued at  $18.59 billion. It is expected to hit $74.56 billion by 2035, as reported by Business Research Insights. Such growth is powered by increasing cyber attacks, regulatory demands, and business globalization.

SOC 2 vs. ISO 27001: Key Differences

Despite the framework overlap when it comes to controls, SOC 2 and ISO 27001 each have a unique approach, scope, and market recognition. Let’s break them down:

Factor SOC 2 ISO 27001
Governing Body AICPA (United States) ISO/IEC (International)
Outcome Attestation report Certification
Geographic Focus Primarily North America Global (especially Europe and APAC)
Framework Type Flexible Prescriptive
Primary Focus Security controls for customer data Complete ISMS implementation
Auditor Type Licensed CPA firm Accredited ISO certification body
Validity Period 12 months 3 years
Number of Controls 70 - 150 (based on selected criteria) 93 mandatory controls

Understanding the differences between these two security standards is vital. While SOC 2 provides a professional assessment of your controls from a licensed auditor, ISO 27001 certifies that your organization meets recognized standards.

ISO 27001 adoption is projected to increase by over 20% annually. This number emphasizes why many businesses eventually aim for both SOC 2 compliance and ISO 27001 certification. This is because they hope to easily meet diverse consumer requirements.

Which Framework Should You Choose?

Perhaps now you’re wondering, “Should I choose SOC 2 or ISO 27001?” Well, that depends on a number of factors: your client base, current and emerging markets, and your business priorities. Even though they both serve as proof of organizational integrity, they can mean entirely different things to different audiences. This decision should not be considered anything less than critical, especially since it could mean wasted resources or missed opportunities.

Choose SOC 2 if:

  • Your target market is in North America, since SOC 2 is the de facto standard for North American companies
  • You need to achieve quick compliance to prevent enterprise deals from lagging
  • You want better flexibility in choosing which areas or criteria to cover, depending on your service offerings
  • Your organization is handling data in cloud environments
  • Your sales cycle requires immediate proof of your security posture
  • You want to build compliance incrementally rather than implementing it all at once. SOC 2 readiness can give your organization a leg up in easy compliance over time.

Choose ISO 27001 if:

  • You have an international customer base, especially in Europe or Asia-Pacific, where ISO 27001 holds more weight
  • You need an extensive ISMS that will give you a panoramic view of your security infrastructure and an organized framework for continuous improvement
  • You need to comply with other security standards simultaneously
  • You want a formal certification instead of an attestation report, given that some consumers consider certification more compelling
  • Your existing security system aligns with ISO 27001’s requirements
  • You aim to work with government agencies or regulated industries that regard international standards more highly

Pursue both SOC 2 and ISO 27001 if:

  • You have clients both in the US and in other countries. Having both frameworks in place avoids any impediments to deals, regardless of their origin
  • Your customers explicitly request compliance with both standards
  • You want to secure long-term business growth. Dual compliance can bridge gaps in security controls and documentation that require great effort to look into.

Be sure to review your business deals to pinpoint which parts are stalling and identify which measures can help eliminate friction. Remember, compliance should drive revenue and build trust, not just check a box.

Get Compliant with Delve

No matter which security framework you choose, be it SOC 2 or ISO 27001, the challenge for your organization is strategically allocating time and resources to achieve compliance. It’s no secret that traditional compliance processes can be tedious and costly. Hours and hours spent on manual data gathering, policy writing, and auditor communications.

But with the right, AI-powered tools in hand, you can be compliant effortlessly.

Delve’s AI-native compliance services are designed to help businesses build compliance through intelligent automation. The platform offers:

  • AI-driven evidence collection that directly gathers proof from integrated systems
  • AI Copilot or guidance for addressing compliance gaps
  • Audit support that prevents constant back-and-forth communication
  • All-inclusive pricing without hidden fees
  • Round-the-clock Slack support for whenever you need immediate assistance

With a trusted compliance process, Delve promises proper management of even the most complex cases. The combination of AI evidence authentication and dedicated auditing teams will enable you to achieve compliance efficiently alongside your day-to-day operations.

Want to build better security that wins customer trust and drives revenue? Schedule a demo now and see how Delve can help you become audit-ready in no time.

Book a Demo
Book a Demo

About the authors

Omair Manzoor
Chief Hacker at ioSENTRIX

Key Takeaways

  • The primary difference between SOC 2 and ISO 27001 is that SOC 2 is an attestation report, while ISO 27001 is a global certification standard
  • SOC 2 is mostly required by North American consumers, while ISO 27001 is highly-regarded by international and European clients
  • Choosing a compliance framework should be based on customer demands, compliance timelines, and business priorities

Today, the majority of B2B companies must comply with current security standards. Truth be told, 48% of software consumers consider security the second most important thing to look into when purchasing digital products, as emphasized in Gartner’s Digital Markets 2024 Global Software Buying Trends Report. The same study also underscores the fact that 46% of buyers chose their preferred vendor because of security certifications and practices.

On the flip side, IBM’s Cost of a Data Breach Report from 2024 found that the cost of the average data breach has hit an astounding $4.88 million, highlighting the need for robust security infrastructures that are capable of protecting sensitive company information and customer data.

When you think about it, the question isn’t whether you need to seek security compliance. Rather, which kind of compliance framework should you pursue first?

At the forefront of security compliance are two standards: SOC 2 and ISO 27001. While often regarded with equal or similar respect, they serve two distinct purposes and appeal to different markets. But in essence, both of them are designed to safeguard critical information.

Defining SOC 2 and ISO 270001

SOC 2, or System and Organization Controls 2, is a voluntary security and privacy compliance standard created by the American Institute of Certified Public Accountants (AICPA) in 2010. It is aimed at service providers that collect, process, and store customer data. This makes it ideal for businesses that specialize in technology, SaaS, and cloud services.

To better understand how SOC 2 works, it is important to mention how this specific framework evaluates an organization. This is where the five Trust Services Criteria come into play. SOC 2 reports are based on key security information that has been assessed against five factors, which are:

  • Security - mandatory; protects against data attacks and unauthorized access
  • Availability - checks system accessibility and usability
  • Processing Integrity - confirms the accuracy and credibility of data processing systems
  • Confidentiality - protects sensitive information
  • Privacy - verifies that collected data is handled appropriately

To clarify, SOC 2 compliance results in an attestation report, not a certification. It contains the independent opinion provided by a licensed CPA firm that has been derived from their examination of your security infrastructure.

There are two kinds of SOC 2 reports. Type 1 is designed to examine security controls at a specific date. Meanwhile, Type 2 focuses on the efficacy of a security system over a longer period of time, which is usually three to twelve months.

On the other hand, ISO 27001 is an international standard that takes an intensive approach. It was developed by the International Organization for Standardization (ISO) in partnership with the International Electrotechnical Commission (IEC).

While SOC 2 focuses on security controls, ISO 27001’s framework calls for:

  • The implementation of all 93 controls described in Annex A of the standard
  • The maintenance of the controls
  • The continuous improvement of an organization’s Information Security Management System (ISMS)

These controls include cryptography, asset management, access control, organizational policies, human resource security, physical security, and many others.

ISO 27001 involves a three-year certification cycle. Once your organization passes the initial two-stage audit, it will go through annual surveillance in the first two years, concluding in a full recertification audit in the third year.

The significance of this standard cannot be overstated. In 2025, the global market for ISO 27001 certification was valued at  $18.59 billion. It is expected to hit $74.56 billion by 2035, as reported by Business Research Insights. Such growth is powered by increasing cyber attacks, regulatory demands, and business globalization.

SOC 2 vs. ISO 27001: Key Differences

Despite the framework overlap when it comes to controls, SOC 2 and ISO 27001 each have a unique approach, scope, and market recognition. Let’s break them down:

Factor SOC 2 ISO 27001
Governing Body AICPA (United States) ISO/IEC (International)
Outcome Attestation report Certification
Geographic Focus Primarily North America Global (especially Europe and APAC)
Framework Type Flexible Prescriptive
Primary Focus Security controls for customer data Complete ISMS implementation
Auditor Type Licensed CPA firm Accredited ISO certification body
Validity Period 12 months 3 years
Number of Controls 70 - 150 (based on selected criteria) 93 mandatory controls

Understanding the differences between these two security standards is vital. While SOC 2 provides a professional assessment of your controls from a licensed auditor, ISO 27001 certifies that your organization meets recognized standards.

ISO 27001 adoption is projected to increase by over 20% annually. This number emphasizes why many businesses eventually aim for both SOC 2 compliance and ISO 27001 certification. This is because they hope to easily meet diverse consumer requirements.

Which Framework Should You Choose?

Perhaps now you’re wondering, “Should I choose SOC 2 or ISO 27001?” Well, that depends on a number of factors: your client base, current and emerging markets, and your business priorities. Even though they both serve as proof of organizational integrity, they can mean entirely different things to different audiences. This decision should not be considered anything less than critical, especially since it could mean wasted resources or missed opportunities.

Choose SOC 2 if:

  • Your target market is in North America, since SOC 2 is the de facto standard for North American companies
  • You need to achieve quick compliance to prevent enterprise deals from lagging
  • You want better flexibility in choosing which areas or criteria to cover, depending on your service offerings
  • Your organization is handling data in cloud environments
  • Your sales cycle requires immediate proof of your security posture
  • You want to build compliance incrementally rather than implementing it all at once. SOC 2 readiness can give your organization a leg up in easy compliance over time.

Choose ISO 27001 if:

  • You have an international customer base, especially in Europe or Asia-Pacific, where ISO 27001 holds more weight
  • You need an extensive ISMS that will give you a panoramic view of your security infrastructure and an organized framework for continuous improvement
  • You need to comply with other security standards simultaneously
  • You want a formal certification instead of an attestation report, given that some consumers consider certification more compelling
  • Your existing security system aligns with ISO 27001’s requirements
  • You aim to work with government agencies or regulated industries that regard international standards more highly

Pursue both SOC 2 and ISO 27001 if:

  • You have clients both in the US and in other countries. Having both frameworks in place avoids any impediments to deals, regardless of their origin
  • Your customers explicitly request compliance with both standards
  • You want to secure long-term business growth. Dual compliance can bridge gaps in security controls and documentation that require great effort to look into.

Be sure to review your business deals to pinpoint which parts are stalling and identify which measures can help eliminate friction. Remember, compliance should drive revenue and build trust, not just check a box.

Get Compliant with Delve

No matter which security framework you choose, be it SOC 2 or ISO 27001, the challenge for your organization is strategically allocating time and resources to achieve compliance. It’s no secret that traditional compliance processes can be tedious and costly. Hours and hours spent on manual data gathering, policy writing, and auditor communications.

But with the right, AI-powered tools in hand, you can be compliant effortlessly.

Delve’s AI-native compliance services are designed to help businesses build compliance through intelligent automation. The platform offers:

  • AI-driven evidence collection that directly gathers proof from integrated systems
  • AI Copilot or guidance for addressing compliance gaps
  • Audit support that prevents constant back-and-forth communication
  • All-inclusive pricing without hidden fees
  • Round-the-clock Slack support for whenever you need immediate assistance

With a trusted compliance process, Delve promises proper management of even the most complex cases. The combination of AI evidence authentication and dedicated auditing teams will enable you to achieve compliance efficiently alongside your day-to-day operations.

TechCrunch

21-year-old MIT dropouts raise $32M at $300M valuation led by Insight

Delve gets $32 million from Insight Partners to scale its platform that automates regulatory compliance with AI agents.
Read More
Read More
Feb 6, 2026

SOC 2 vs ISO 27001: The Differences

The majority of B2B companies must be compliant with current security standards. See how SOC 2 and ISO 27001 play into your company's credibility.
Omair Manzoor
Chief Hacker at ioSENTRIX
Feb 6, 2026

Complete Process of PCI Compliance (2026 Guide)

Learn the 3-step process of PCI compliance: assess, remediate, and report. Discover how to manage ongoing work and formal validation to protect your cardholder data environment efficiently.
Shane Peden
Partner, Risk Advisory & Assurance Services at Aprio
Jan 30, 2026

What is a SOC 2 Report

A SOC 2 report is a document that proves a service provider’s compliance with data security standards. Find out how you can achieve SOC 2 compliance.
Anthony Garcia
Co-Founder and CTO, Network Right

Don't let manual compliance slow you down.

With Delve, companies prove compliance faster, close deals quicker, and stay compliant as they scale.
Book a Demo
Book a Demo
Abstract gradient background with vertical rectangular segments blending from teal on the left to dark, then orange on the right.

How to build and run a billboard campaign

Dark gradient background transitioning from warm brown tones on the left to cooler blue tones on the right.

In fall of 2025 for a period of three months, Delve ran one of the largest out-of-home campaigns of all time to make a splash for our brand and make sure everybody in the city of San Francisco, New York City, and Austin knows who we are. We learned a ton throughout the process, and we want to share every mistake, every learning, and every success to demystify the out-of-home channel.

Billboard advertising, or as it's called in the industry, out-of-home advertising, is any advertising that somebody has to go outside of their home to see (in contrast to other formats of paid media like newsletters, ads, TV, or radio). Here is our comprehensive guide on how to plan for an out-of-home campaign, execute on it, and analyze how much of an impact it had.

Abstract blurred background with gradient colors transitioning from teal to black and orange.
Download our OOH planning template and guidebook
We've received your information and you'll receive the materials via email shortly!
Oops! Something went wrong while submitting the form.

Planning

This is some text inside of a div block.
Date
1
min read

When is the right time for OOH?

Out-of-home is how you make a brand splash. It's a we’ve-arrived statement. The only right time to do that is when you have achieved a moderate degree of PMF, you have steady lead flow, a strong pre-existing pipeline that is heavily driven by word-of-mouth, and stable processes. When you’re ready to punch past a certain number of leads, revenue, or make a massive announcement, that’s the time to go out of home.

Those hallmarks usually are seen after the Series A (or whatever the current fundraising environment is in SF :) or a company-changing product release that you’re ready to bet it all on.

Keep in mind that OOH is an expensive and top-of-funnel strategy, so your average annual contract size should be able to support the cost of putting this on. If we think about attribution purely in the sense of pipeline and closed won:

OOH Campaign ACV Contracts Closed (Attr. OOH)
$500,000 $5,000 100
$1,000,000 $5,000 200
$1,500,000 $5,000 300
$2,000,000 $5,000 400

This is a crude analysis, but you get the idea. Make sure you can sell enough (even on a multi-touch attribution model) to justify the spend.

How much should I budget?

The cardinal saying is “Go big or don’t go out of home.” Out-of-home is not a channel to try a small spend of $50k and see how it goes. Out-of-home only succeeds when you create a sense of omnipresence, a moment where you take over and everywhere prospects go, all they see is you.

Text saying 'Go big or don’t go out of home' over a gradient background blending dark blue, orange, and light beige colors.

Kasper Koczab, the Head of OOH Media at Brex puts it like this:

I often talk to founders who want to “test” OOH by booking a single billboard and seeing how it performs. That’s not how this medium works.

If you’re confident in your product and you know where your prospects live, work, and play, the most effective strategy is to create a sense of omnipresence. It’s not enough to reach your ICP on their commute — your message should be there when she’s walking her dog or taking her kids to soccer practice, too. Frequency matters.

In a first-time out-of-home campaign, it’s all about frequency. You need to be everywhere, all the time, so they can’t escape you. Managers who want to champion your product will feel more confident when they know their VP has seen your bus ad. Top-tier recruits will feel much more excited knowing that the company offering them has their name plastered all over the city. There’s a part of the human psyche that thinks “if this startup can afford this and pull it off, they must be legit.”

Once you define exactly what your goals are, how big of a reach you want, and who you’re trying to sell to, you’ll be able to compare your goals to the cost of media. Towards the back-end of 2025, media prices are at an all-time high with a frothy AI marketplace and well-funded startups taking over almost every available media. In a congested space, you’ll need even more dollars to stand out.

A good framework is:

  1. Why do we want to do this?
    1. We want to do a massive splash and announce our product, recruiting, etc.
  2. How long will it take to accomplish that goal?
    1. We estimate 2-3 mo of omnipresence will help us accomplish that
  3. If we had to pick one city where our prospects are mostly concentrated, where would it be?
    1. San Francisco, New York, Los Angeles, etc.

Great! Now we know we want to do a 2-3 month campaign in SF. To pull that off, we’d likely need a set of 40-50 panels, an anchor placement on a major highway, and a set of bus wraps. Total spend = $750,000.

Man with a beard and traditional cap drawing a flowchart on a transparent board with two blurred people watching.
Four men standing around a table with printed materials and a laptop in a modern office with large windows.

How Far in Advance Should You Plan and Book OOH?

Start planning early. Ideally, begin the process a few months in advance of when you want your ads to go live. Popular billboard locations and transit media can book up quickly, so you need lead time to secure the spots you want.

A good rule is to book 3-6 months ahead for high-demand markets or premium locations. For example, Times Square billboards in NYC might even require 6+ months lead time, and Los Angeles’ Sunset Strip or SF’s 101 freeway boards can be reserved several months out (especially around major events). In Austin, if you want coverage during SXSW, you’d better be talking to vendors at least 3+ months before the festival.

Besides reserving the inventory, you also need time for creative production. Designing the ads, iterating on copy, getting approvals, and then printing physical posters or vinyl (if not digital) all add time. If you’re starting from scratch, imagine that before that you’ll also go through brand-building sessions with your team, creatives design, multiple (up to 20!) rounds of feedback, and then finally arrive on something the team is aligned with.

If you’re on a tighter timeline, you may still find last-minute opportunities (sometimes unsold digital billboard slots can be nabbed weeks or even days before, at a discount). But generally, to get the locations and dates you want, earlier is better.

For example, say you’re targeting a product launch in September. You’d want to begin planning by early summer, confirm your media buys by mid-summer, and have creative finalized and in production by August so the ads can be installed on time. Some smaller formats like bus shelters might have shorter lead times than giant billboards, but just play it safe.

We started the process in April for an August 11th deployment, about 4 months out. This still made things incredibly tight.

Back into it like so:

Flight Date (Launch) → When your campaign goes live.

4 weeks before → Final creatives are due.

8 weeks before creatives are due → Creative design and production begin.

8 weeks before creative prep → Media planning and vendor selection start.

That puts you square at 5 months.

We’ve put together some great tracking spreadsheet templates to show you how to Gantt this all out. Download our guidebook at right to get access.

Execution

This is some text inside of a div block.
Date
1
min read

What is a good time of year to do this?

This is highly industry-dependent. If we look at the year:

Q1: Reset and Re-Acceleration

Teams return from holidays energized, focused on executing annual plans and budgets. It’s prime time for B2B: decision-makers are back, budgets are open, and industry kickoffs like CES drive high audience concentration. Finance and accounting tools benefit from tax season, while consumer brands face the post-holiday “slump” except in fitness and self-improvement. Cold, wet weather means more drive-time and delivery ad exposure, less walking traffic.

Q2: Spring Surge

Conference season peaks (RSA, SaaStr, Collision), boosting opportunities for geo-targeted OOH near airports and venues. Warmer weather brings foot traffic back and hybrid work stabilizes. As teams race to close H1 targets, quick-win B2B products perform well. College graduations fuel hiring and employer-brand campaigns.

Q3: Summer Slowdown → Autumn Gold

Mid-summer is quiet: decision-makers and investors vacation, buying stalls, and morale-driven campaigns see lower engagement. Exceptions: travel, beverage, and leisure brands. We chose early September through early November as the strongest OOH window of the year where B2B spending restarts, the weather’s ideal, and major conferences (Dreamforce, Inbound, Disrupt, etc.) cluster. It’s the moment to drive pipeline and capture leftover budgets before holiday freezes.

Q4: Holiday Wind-Down

After mid-November, corporate attention shifts to holidays and fiscal wrap-ups; B2B conversions dip. Consumer and retail campaigns thrive between Black Friday and Christmas, while enterprise deals largely pause until January.

Who are the major operators of OOH media?

Diagram showing Clear Channel Outdoor (CCO) in the center connected to four smaller circles labeled Lamar, JC Decaux, Intersection, and Outfront.

Across the United States, there’s about a set of major operators that run all of OOH media. The 3 most important are:

  1. Clear Channel Outdoor (CCO)
    1. Across the US, CCO owns about 40,000 billboards. In San Francisco, Clear Channel owns the transit shelters, a lot of very high quality premiere panels/billboards in the city and along the Skyway/US 101, and Muni platforms.
  2. Outfront
    1. Outfront similarly owns about 40,000 billboard across the US. In San Francisco, Outfront owns the BART, CalTrain, and MUNI stations (Embarcadero, Montgomery, Powell, etc.) as well as many excellent billboards on the highways and in the cities. They also own the NYC city subway cars, the stations, and many incredible placements all over the New York.
  3. Lamar
    1. Lamar is by far the largest operator, owning over 116,000 billboard faces all over the US. They have a good selection across many metros, but we did not contract with Lamar as most of their high-profile units were taken.

Collectively, these three own about ~250,000 of the estimated 400,000 billboard faces in the US, or about 62%.

Additional notable vendors include:

  1. Intersection
    1. In San Francisco, they own the entire SFMTA - so all types of bus advertising goes through them. Full bus wraps, bus headliners or kongs, or even half-wraps.
  2. JC Decaux
    1. Most of San Francisco’s street furniture is owned by JCD. This includes information kiosks/pillars that create an impact directly on the passerby. Units are usually sold in packages - for example JCD’s Moscone center street furniture package has 10 information kiosks that directly target the Moscone center.

Capital Outdoors, Reagan Outdoors, Silvercast, and a few others make up the rest of the landscape of out-of-home.

What are the different types of media? What should I get?

1. Bulletins/Billboards

These are the classic large-format displays you see along highways, rooftops, or major city arteries.

  • Use for: Big brand moments, awareness plays, or category leadership statements.
  • Strengths: Huge reach, high prestige, long dwell time on highways.
  • Weaknesses: Expensive in Tier 1 cities; limited flexibility once installed.

(Examples: US-101 and I-280 corridors in SF, the Sunset Strip in LA, Times Square in NYC.)

Crown jewel pieces in a campaign - any major bulletin on the way up or down from SFO will generate the highest quality impressions and capture everyone. Anchor pieces like these really tie campaigns together.

Billboard reading 'Today, compliance is done in days, not months. It's done in Delve. Delve.co' against a clear blue sky and urban backdrop.

2. Premiere Panels & Wallscapes

High-impact, high-traffic urban billboards placed at major intersections, bridges, or downtown walls.

  • Use for: Company launches, investor signaling, or head-turning creative campaigns.
  • Strengths: Prime city visibility, often photographed and shared on social media.
  • Weaknesses: Limited inventory; typically booked months in advance.

(Examples: City-32 premiere panel network,SoMa wall murals, NYC SoHo wallscapes.)

Workhorse units. These target your ICP when they are out for dinner, going to watch a game, picking up their kids from school. Pick them carefully.

Two stacked billboards on a building with text about compliance audits and colonoscopy prep, advertising Delve.co.

3. Street Furniture

Includes transit shelters, bus stops, benches, and public kiosks. Managed by JC Decaux, ClearChannel, others.

  • Use for: City-wide brand saturation and repetition.
  • Strengths: High pedestrian frequency, affordable packages, consistent daily visibility.
  • Weaknesses: Smaller format means your creative must be ultra-simple and bold.

(Example: JC Decaux’s Moscone Center package with 10 information kiosks, CCO’s 3rd St Triptychs targeting YC.)

Great for specific targeting of particular accounts or geographies and for creating a consistent sense of your brand on the streets.

Bus stop ad for Delve.co stating compliance is done before your co-founder drops a 'what B2B SaaS taught me' post, with the tagline 'It's done in Delve.'

4. Transit Advertising

Bus wraps, train station takeovers, subway car interiors, and airport displays.

  • Use for: Targeting commuters and travelers, especially in major metros.
  • Strengths: Excellent for frequency and brand recall; high engagement for mobile users.
  • Weaknesses: Creative must adapt to motion and varying environments.

(Examples: Station dominations via Outfront; full-bus wraps via Intersection, bus shelters via CCO.)

This make sense when some set of your ICP commutes in from suburbs or uses the subway regularly - like enterprise middle management. If you’ve coordinated during conferences, you’ll get some additional exposure from public transit enthusiasts.

A public transit bus with advertisements for Delve.co, displaying messages about compliance and clean air vehicles.
View of a train station platform with a white and red train, a person in a yellow safety vest standing at the open door, a man walking on the platform, and large advertisements on the walls featuring compliance-related slogans.

5. Digital OOH (DOOH)

LED or LCD billboards that can rotate creatives dynamically or be updated programmatically.

  • Use for: Time-sensitive campaigns, A/B testing, or creative experimentation.
  • Strengths: Flexible, measurable (via impression tracking), and visually striking.
  • Weaknesses: Limited premium placements; shorter dwell time than static boards.

(Examples: Subway station liveboards via CCO/Outfront that play your ad in a fixed set )

Digital boards are usually cherry-on-top for a larger static campaign and then used in subsequent campaigns when people are mildly aware of your brand and you’re looking for consistent performance. Since your Share of Voice is already >10% in this media, you’re not yielding as much value.

Three vertical digital screens on a wall display a message: 'Today, compliance is done in Delve.' with the Delve.co logo.

Your ideal campaign should bring all these media types together under one package to create the sense of omnipresence in the city.

How should I start putting my campaign together?

When thinking about putting a campaign together, you first want to nail down your goals. Ask yourself these questions in an exercise:

  1. Why exactly are you doing this?
    1. What do you really care about? Are you viewing this as a pure brand play?
  2. Who are you selling to? Who is the exact ICP? Who are the stakeholders?
    1. Don’t try to sell to too many people in one campaign. Be very specific
  3. What are we trying to convey about our brand?
    1. What are we selling? Can we convey it simply and distinctly? Can we avoid becoming beige?

Once you’ve asked yourself these hard questions - and they can change - you’re ready to go to the whiteboard and start figuring out what you want. Research your audience’s physical world habits. Unlike online ads, OOH success depends on placing messages in the real locations your targets frequent. Map out where they live, work, commute, and congregate. If you’re aiming at, say, startup founders in the Bay Area, concentrate on high-density tech corridors (e.g. SOMA, Market Street, Caltrain routes) and highways like the 101 that they drive on. Stych famously did exactly this, plotting out commuting routes and conference venues in SF, then selecting billboard and transit ad locations near those hotspots to maximize impressions among their audience

Delve did something very similar when starting our campaign. We pulled all of our customer addresses from Docusign contracts and plotted them into a map. We also aggregated in data from larger partners to figure out where prospective customers from our Dream 100 (top 100 clients we’d like to sign) are as well. We’d recently run a massive physical marketing campaign, so we had some other address data on hand. We plugged all that into kepler.gl to figure out exactly where we wanted to focus our efforts:

Heatmap of San Francisco showing high-intensity data points concentrated in downtown and eastern neighborhoods.

Who else is involved in an OOH Campaign?

Diagram listing parties involved in an OOH campaign: Media Operators, Media Buying Agency/Broker, Creative Designers/Agency, Marketing/Growth Team (Internal) on an orange gradient background.

Running an OOH campaign is a team effort that involves both external partners and your internal team. Key players include:

  • Media Operators: These are the companies who own the billboards, transit ads, bus benches, etc., such as Lamar, Outfront Media, Clear Channel, and local vendors. They provide the inventory and handle installation. You can work with them directly if you’re experienced, but if it’s your first time - find a broker that can take care of this for you. The operator’s job is to lease you the ad space and ensure your creative goes up on schedule.
  • Media Buying Agency/Broker: As mentioned earlier, a specialized OOH agency or media broker can plan and negotiate the buy on your behalf They interface with all the operators (so you don’t have to individually call Lamar, Outfront, etc.), get quotes, and secure the best locations within your budget. They also handle a lot of logistics. For a first campaign, having an experienced media buyer is a huge help – they know the landscape and can advise on format mix, flight duration, and fair pricing. Their fee or commission is usually baked into the buy (often a percentage), but a good broker often pays for themselves by stretching your dollars further.
    • For our campaign, we worked with Kasper Koczab, Head of OOH Media at Brex. His understanding of OOH all over the country is unmatched and he was able to help us navigate the complexities of media and secure a really solid package.
  • Creative Designers/Agency: You’ll need someone to design the actual ads – the visuals and copy that go on the billboard or poster. This could be your in-house design team if you have one (as many startups do), or an external creative agency or freelancer. Some brands use their general creative agency; others hire specialists who understand OOH design principles.
    • If you’re doing multiple formats (billboards, bus wraps, etc.), designers will need to adapt the creative to various specs and formats
    • Pro tip: There’s so many moving parts to a large campaign, that having an experienced team that knows the ad format, the production specs, and can keep you on top of all the details can make life way easier and potentially save $10,000’s in lost media.
    • We worked with Josh and the team at Division of Labor to put our campaign together. They helped us run through multiple design reviews, settle on our brand and visual identity, and caution us through many potential pitfalls.
  • Marketing/Growth Team (Internal): Within your startup, your marketing and growth team will quarterback the campaign and work with everyone above. Be prepared for some cross-functional input, for instance, leadership might want to review the billboard messaging, or sales might chime in with an opinion. Align stakeholders early so you can move quickly on execution.

How do you think about copy?

All of marketing is about standing out. How can you be really different? Billboards offer you the opportunity to be among the top 1% of companies that make it off the incessantly bombarded screen and get into the real world. Don’t think that gives you the freedom to finally spew product and feature copy all over. Your campaign is won or lost by the words you put on the billboard. Here’s how to approach it:

Be someone. Thousands of companies come out with stock, harmless, slogans cooked up in a boardroom that won’t elicit any response. Larger enterprises care too much about brand integrity to try anything out-of-the-box and already have enough recall. How can you be truly different?

You need out-of-the-box, contextualized ideas that tap into societal and cultural cues. Think about how you can use your brand, your industry keywords to devise copy that makes someone think “Ha! That’s clever.” That’s how you’ll win. It will take time, revision, and work - but it’s the only way to really win.

If your leadership is willing, make your copy or graphics a little controversial. Bland’s “Still hiring humans?” campaign famously generated incredible engagement. Recently, Friend.com took over social media with ads being defaced all over the subway. It’s your prerogative on how far you want to go, but creating an identity is much better than being invisible.

Simplicity is king. The best billboard messages are extremely short, clear, and instantly graspable – think 7 words or fewer as a rule of thumb. Drivers or pedestrians only glance for a few seconds, so you have to communicate one idea fast. This means one simple message or tagline, with text in a huge, high-contrast font so it’s legible from a distance. An industry saying goes “short copy sticks”– and it’s especially true for billboards.

Beyond brevity, out-of-home is all about sparking emotion. If you can elicit a chuckle, an intrigued eyebrow raise, or an “aha” recognition, your ad will be memorable. No one looks at billboards in pursuit of a mathematical challenge. Frankly, they’re pretty annoyed that they're being marketed to all the time. It's your job to make it as funny, as evocative, and as emotion-inducing as possible.

Now, few practical tips and hygiene for copy/design:

  • Contrast and readability: Use large, blocky fonts and strong color contrast (light text on dark background or vice versa). No one should squint to read your ad. Test by printing your design small and see if you can read it from across the room. Product designers often design for small screens, so it’s a conscious adjustment.
  • One theme, one idea, one CTA: Memorable campaigns come together around one unifying theme. You’ll have hundreds of pieces of creative, and you want them all to come together and tell a story, not fight for attention. When someone looks at your media, they should subconsciously feel familiarity with it because it matches the tone and theme. Think about “Just do it” or “Think differently”. Delve’s take on this was “Compliance is done in Delve” - and all the creative came back to this idea.
  • Let visuals help: A striking image or bold and creative graphic breaks up text and makes it fun to look at. Think about motifs and symbols around your brand that you can incorporate. For example, if you’re building something that makes a process faster - create a leaderboard graphic!
  • Test for the “5-second rule”: Imagine a person seeing your ad for 5 seconds or less. Will they get the gist? If not, simplify it. Cut unnecessary words and elements. Many experts literally suggest 7 words, 1 image max for a standard billboard.

In summary: short, bold, and resonant. Your copy should be punchy and easy-to-digest, with a design that grabs attention at a glance. Marry that clarity with a spark, whether humor, emotion, or intrigue that makes people remember it.

Great creative connects on an emotional level, not a rational one. You’re talking to humans — make them laugh, make them excited, make them curious.
Kasper Koczab - Head of OOH Media, Brex

Analysis

This is some text inside of a div block.
Date
1
min read

How Should You Think About Attribution for OOH?

Attribution in OOH is famously fuzzy. Unlike digital ads, you won’t get a precise click-through or conversion rate tied to each billboard, and that’s okay. Physical ads don’t have pixels or UTM tags, so you need to embrace indirect and longer-term metrics. Successful startups view OOH as a brand awareness play that lifts many metrics collectively, rather than a direct response channel.

So how do you gauge if it’s working? There’s 3 main methods we used:

  1. Branded Search Uplift
    1. The industry-standard figure is to anticipate around a 10-20% uplift in branded search.
  2. First-party mentions
    1. In your lead form or in sales calls, track how many times billboards is mentioned as a referral source. We used that to attribute a certain amount of each deal that closed to OOH and built a rough financial model.
  3. CPM
    1. Based on the quoted impressions from your media operators + the social media impressions you generated you can calculate a rough opportunity cost of CPM in this channel vs others. (Not high signal, but good for marketers to have a number.)

Some brands leverage QR codes or short URL’s on transit ads or billboards; just be realistic that not everyone will stop to scan a specific code or URL. It’s much more effective to use that real estate in better ways, when prospects will just type in “[company name]” into Google.

Overall, you’ll have to accept that OOH’s value is largely multi-touch and long-term. It plants seeds in your audience’s mind that may pay off weeks or months later. As one marketing leader said, don’t expect a single “ROAS” number – instead, look for a mix of leading indicators (like branded search uptick, social media buzz, word-of-mouth) and anecdotal evidence that your message is sinking in. If you see those, your OOH is doing its job even if you can’t attribute every dollar of revenue to a specific billboard.

It’s rather important however to look at it from more angles than just pipeline. You’re building brand - and that has value everywhere. You should evaluate:

Graphic showing five labeled layers with connecting lines: Pipeline, Recruitment, Company Morale, Investor Confidence, and Customer Strength.
  1. Pipeline
    1. Ultimately, it’s a business and revenue needs to be generated. More visibility, more credibility, more deals closed.
  2. Recruitment
    1. If pipeline is the gas, recruitment is the driver. The value your talent acquisition team gets from cementing the brand and building credibility with high profile recruits is unmatched. Talk to those teams and see how it’s affecting them!
  3. Company Morale
    1. For your founding team, recent hires, and even the leadership, OOH can feel like a coming-of-age moment for the company. To see your brand amongst Apple, Google, Hubspot and more is a rewarding and uplifting feeling that an expensive offsite can’t match.
  4. Investor Confidence
    1. Investors are some of the biggest fans of OOH campaigns. They love to see their portfolio companies under the spotlight.
  5. Customer Strength
    1. When customers see their startup vendor making it big, it gives them a lot of confidence in your ability to keep winning and solving problems for them. It can help allay churn risk, provide credibility to your internal champions, and help explore more use cases.

Attribution will always be fuzzy in OOH, but if your brand is optimized for this channel, you’ll do well. Don’t sweat it.

With out-of-home advertising, you should make the investment because the logic makes sense. While you should try to get a directional read on OOH impact, you also have to use your best judgment around where your audience is and what message they respond to. Intuition can carry you far in marketing.

- Brandom Camhi, Head of Marketing at Rippling

Sources and Citations

Huge thanks to Reid from Stych for his work on this article that helped us a ton and provided a lot of useful data repurposed in this article. In addition, here were some other helpful articles that we referenced as we put together our billboards campaign and this article:

Abstract blurred background with gradient colors transitioning from teal to black and orange.
Download our OOH planning template and guidebook
We've received your information and you'll receive the materials via email shortly!
Oops! Something went wrong while submitting the form.