Picking between ISO 27001 or SOC 2
NOTE: Schellman has since updated and expanded this information in an article found here.
With the rising popularity of compliance efforts today driven by factors such as customer demands, regulatory requirements, and/or a company’s willingness to demonstrate their internal control environment to external parties, the question often arises as to which compliance undertaking is the most beneficial for organizations to undergo. Lately, we’ve noticed a large surge in both our SOC 2 and ISO 27001 service lines, but which is the better for your organization? To begin to tackle this question, it’s important to first get some background information on both SOC 2 and ISO 27001 to understand their differences, similarities, and how they could potentially complement each other.
Attestation (SOC) vs. Certification (ISO)
One of the most important differences between SOC 2 and ISO 27001 is that SOC reporting in general is not considered a certification. As SOC examination services are performed under the AICPA attestation standards, they are considered attestation reports. Attestation reports provide an opinion by an independent practitioner/auditor attesting to certain elements about the control environment of a service organization. More specifically, in the case of a SOC 2, the examination would be focused on the internal controls in place at a service organization to meet the criteria as it relates to the security, availability, processing integrity, confidentiality and/or privacy trust services principles.
Certain standards are certified against, such as ISO 27001, which determines an organization’s conformity of their information security management system (ISMS) to the ISO 27001 standard.
Deliverable – Report (SOC) vs. Certificate (ISO)
Another important difference to note is the content and form of the external deliverables for each engagement. For a SOC 2, the final deliverable will be an attestation report, which will contain an opinion letter from the service organization audit firm, an assertion letter from the service organization’s management, a system description containing an extensive narrative on the five key components of the organization’s system under review (e.g. infrastructure, software, people, procedures, and data) as well as organizational-level procedures, and finally the applicable trust services criteria, related control activities, and the testing performed by the service auditor and the related test results (in the case of a Type 2 report).
The deliverable for an ISO 27001 engagement is the certificate, which is a 1-2 page certificate which contains information such as the certified organization’s ISMS scope, in-scope locations, standard certified against, effective dates of the certificate (date issued, date of expiration), etc. While a report is issued at the conclusion of the various ISO engagements (stage 1, stage 2, surveillance audits, recertification reviews), the reports are generally for internal-use only and are not intended to be an external deliverable, as is the case in SOC reporting.
SOC 2 examinations and ISO 27001 certifications both require an independent assessor to provide assurance on the controls in place to meet the trust services principle (TSP) criteria (SOC 2) and standard requirements (ISO). Additionally, both SOC 2 and ISO 27001 have international applicability to benefit firms with international presences and/or customer bases.
Additionally, both compliance efforts focus on how the organization addresses information security, the approach to mitigating information security risk, as well as ensuring that the proper controls are in place to maintain the information security risk to an acceptable level.
Lastly, both compliance efforts are valuable ways for an organization to instill trust in their customer base and the overall client market. They demonstrate management’s commitment to ensuring that the organization is serious about information security and that it has been assessed by an accredited, certified, and competent third party assessor.
Both SOC 2 and ISO 27001 are excellent compliance efforts for organizations to undertake and can be utilized to gain advantages over market competition, demonstrate the design and operating effectiveness of internal controls, and to achieve compliance with regulatory requirements.
Is one better than the other? I don’t think so and I don’t believe it’s always practical to look at it in that respect. When deciding whether to undergo SOC 2 and ISO 27001, it’s important for an organization to understand their market, the wants / needs of their customers, as well as any regulatory requirements that they need to demonstrate compliance to. This may help drive their decision as to which undertaking will be more beneficial for their particular environment and situation. Certainly, pairing the two together can also lead to several benefits, not only from a competitive advantage standpoint, but also from an audit efficiency standpoint since there are several commonalities between the subject areas of both SOC 2 and ISO 27001.
For additional information on SOC 2 and ISO 27001 and how the two relate to each other, please contact a specialist at Schellman & Company.
About DANNY MANIMBO
Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for co-leading Schellman's ISO practice as well as the development and oversight of Schellman's SOC practice line as well as specialty practices such as HIPAA. Danny has been with Schellman for eight years and has over 11 years of experience in providing data security audit and compliance services.