A Kinship: SOC 2 and ISO 27001
Have you ever wondered if the ISO 27001 certification is at all similar to a SOC 2 report? Many organizations today are dealing with multiple needs or demands for various compliance assessments or certifications. These organizations might wonder, “How can my ISO 27001 certification fit the needs for a SOC 2 report?” and vice versa. Below we have outlined the similarities and differences between an ISO 27001 certification and a SOC 2 examination.
Before we explain the similarities and differences between an ISO 27001 certification and a SOC 2 examination, let’s first outline the meaning of these two compliance areas.
ISO/IEC 27001:2013 (ISO 27001) is the internationally recognized standard that outlines the requirements for constructing a risk-based framework to initiate, implement, maintain, and manage information security within an organization. The standard defines what an information security management system (ISMS) is, what is required to be included within the ISMS, and how management should form, monitor, and maintain the ISMS. The certification is an independent validation that the ISMS conforms to the requirements of the ISO 27001 standard. Certificates issued are valid for a three-year term, during which time surveillance audits are required to be completed. The certificate is meant to communicate that the ISMS is actively implemented and continues to operate effectively.
In early 2011, the AICPA issued its Service Organization Control (SOC) reporting framework. The purpose of this framework is to differentiate between the common types of AICPA reports that service organizations are expected to provide to their customers. A SOC 2 report, titled “Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy” is designed to meet a broad set of reporting needs about the controls at a service organization in the form of a CPA firm’s independent attestation report. The SOC 2 examination is an independent examination of the service organization’s controls that are designed and operating effectively (in the case of a Type 2 report) to meet the applicable criteria in one or more of the five Trust Services Principles and Criteria (i.e. Security, Availability, Processing Integrity, Confidentiality, or Privacy).
A SOC 2 report and an ISO 27001 certification have the following similarities:
- Both provide independent assurance on the service organization’s controls that were designed and implemented to meet a specific set of requirements or criteria.
- Both are internationally recognized standards and are accepted worldwide.
- Both allow a service organization to gain significant advantage over competitors.
- The ISO 27001 certification includes deliverable that outlines the organization’s conformance to the standard set of requirements. The SOC 2 attestation report is a detailed report outlining the controls that meet the applicable Trust Services Criteria. The SOC 2 also includes a robust narrative detailing the company background, services provided, and the system (infrastructure, procedures, people, data, and applications) within the scope of the assessment. While the Trust Services Criteria is a standard set of criteria, the controls of one service organization can be very different from the controls of another service organization. As such, a SOC 2 report should not be referenced as a “certification.”
- The ISO 27001 certification considers the control activities relevant in supporting the ISMS and focus on broader information security risk that can apply to matters like documentation management, human resources, asset management, supplier relationships, etc. The SOC 2 examination reviews internal controls over the system, which can include one or more services offered by the service organization, and is more focused on information systems policy, procedures, system security, and change management. The scope of each report can be very different and cover different aspects of the business.
- The ISO 27001 certification is a forward-looking three-year cycle while the SOC 2 examination covers either a point in time (in the case of a Type 1 report) or a period (in the case of a Type 2 report) that occurred in the past.
- The ISO 27001 certification does not provide the details of an environment or its related controls; however, a SOC 2 report provides the details regarding the controls and the environment that may be useful to for customers.
You might be asking yourself now, “How do we decide which one to tackle first?” Here are some tips for management to consider.
- Determine your regulatory requirements. Within your industry are there specific regulatory requirements that require you to complete either a SOC 2 examination or an ISO 27001 certification?
- Consider what your customers or potential customers are requesting. Do you have any customers or potential customers that have requested one over the other (through questionnaires or an RFP)?
- Market competition. Do some research on your main competitors in the market and determine if they have completed a SOC 2 examination or have an ISO 27001 certification. If they have neither, you know that your organization will lead in the market if you complete.
- Consider the intent of the compliance goal. Is the objective to ensure that information security is continually identified, evaluated, addressed and monitored through the use of an ISMS, or is the objective to have a vehicle to provide a full view of the system description and supporting controls relevant to the defined criteria within the chosen Trust Services Principles.
- Contact an independent third party. Contact a CPA firm, ideally a firm that can perform both an ISO 27001 certification and a SOC 2 examination as they will be well versed in both areas. Let the firm provide some guidance based on your services, industry and market demands.
Either option, a SOC 2 examination and ISO 27001 certification are exemplary ways an organization can communicate their commitment to information security, delivery and gain information security trust in the global market, and assure their customers that their organization, controls, processes, and systems are designed and implemented in a manner to meet some of the highest levels of information security requirements a compliance program can demonstrate.
About RYAN MACKIE
Ryan Mackie is a Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.