On occasion, we hear variations of the following questions from clients and prospective clients:
- What are the differences between a SOC 2 and an ISO 27001 audit?
- Which standard is more applicable to our company, SOC 2 or ISO 27001?
- What are the advantages and disadvantages of SOC 2 vs. ISO 27001?
- Is there a mapping between SOC 2 and ISO 27001?
- Where is the overlap between SOC 2 and ISO 27001?
What is a SOC 2?
The AICPA provides the following definition for SOC 2 – SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
Similar to a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls; and a type 1 report on management’s description of a service organization’s system and the suitability of the design of controls. Use of these reports are restricted.
A SOC 2 report is an attestation report that documents an organization’s internal controls that are in place to meet the SOC 2 criteria for Security, Availability, Processing Integrity, Confidentiality, or Privacy. Most SOC 2 reports are prepared for US based service organizations and shared with user entities of the service organizations. A SOC 2 report may be either a point-in-time report (type I) or cover a period of time (type II).
Linford & Company past SOC 2 related blog posts:
- What are Trust Service Principles (TSPs) and which ones do you include in your SOC 2?
- SOC 2 Benefits
- First time SOC 2 Audit: What to Expect
- SOC 2 Audits
- Advantages of Investing in a SOC 2 Report
What is ISO 27001?
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
The ISO 27001 certification validates that an organization meets a standard set of requirements. US based companies may be asked for an ISO 270001 certification although the certification has more traction in the European market. As a result, many US based companies choose to self audit against the standard without receiving a certification. Like many other standards, certification is possible, but not mandatory. This differs from the SOC 2 examination, which is required to be performed by a CPA firm.
See the following past blog post related to ISO: What is ISO?
SOC 2 vs. ISO 27001: What are the Key Differences?
The following table highlights some of the key differences:
|Area||SOC 2 Security||ISO 27001|
|Name||Trust Services Principles and Criteria for Security – The system is protected against unauthorized access (both physical and logical).||International Standard ISO/IEC 27001, Second Edition 2013-10-01, Information technology — Security techniques — Information security management systems — Requirements|
|Governance||AICPA||ANSI-ASQ National Accreditation Board (ANAB)|
|Purpose||Assist service organization management in reporting to customers that it has met established security criteria that ensure that the system is protected against unauthorized access (both physical and logical).||Assist organization management in establishment and certification of an Information Security Management System (ISMS) that meets specified requirements and is able to be certified as best practice.|
|Structure||Principles and Criteria||Information Security Framework|
|Practices||Good Practice||Best Practice|
|Best Use||Measure a Service Organization against static security principles and criteria.||Establish, implement, maintain, and improve an ISMS.|
|“Certification”||CPA Firm Attest Examination Opinion||ISO Accredited Registrar Certification|
|Infrastructure||CPA/CA Firms Worldwide||Lots of consultants; few certifiers|
|Period Covered||Point in time or period of time||Point in time|
|Nature of Audit or Certification Testing||Design effectiveness and operating effectiveness (Type II)||Design effectiveness|
|Report||Report containing the auditor’s opinion, management’s assertion, description of controls, user control considerations, tests of controls, and results||Single page Certification|
|Difficulty to Achieve||Moderate Difficulty||Higher Difficulty|
In summary, ISO 27001’s purpose is to provide a best practice framework for establishing an information security management system. It is a guide for implementing a security program at an organization. In contrast, the SOC 2 Security’s purpose is to provide an organization a way to demonstrate that security practices are in place and operating effectively. When choosing between a SOC 2 or ISO 27001 certification, an organization should consider its regulatory requirements as well as which countries the organization plans to do business with. It is important to keep in mind a service organization’s clients when choosing which standards to comply with. A service organization’s clients may request a particular report or certification depending on its needs.
To facilitate a comparison between the standards, the Cloud Security Alliance has provided a matrix that maps the ISO 27001 requirements to the SOC 2 criteria. See the Cloud Security Alliance Matrix
Both SOC 2 and ISO are internationally recognized standards. Both the SOC 2 report and ISO certification involve an independent audit by a third party. Both may be used for marketing purposes to demonstrate that an IT internal control environment is in place. ISO certifications are three-year, forward-looking certifications, while SOC 2 reports are point-in-time or period-of-time reports.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.