SOC 2 vs. ISO 27001: Which is the Right Assessment for Your Organization?
Companies continue to struggle with the decision between selecting the SOC 2 examination or ISO 27001 certification. Often customer contracts require either audit or competitors have one or the other. Although these security standards serve a similar purpose, there are some key decision factors that may help your organization determine the appropriate assessment based on your organizational needs.
What is SOC 2?
The SOC 2 reporting framework, released by the AICPA, or the American Institute of Certified Public Accountants, reports on an organization’s controls as they relate to the Trust Service Principles (TSPs), which are as follows:
- Common Criteria/Security – The system is protected against unauthorized access, physically and logically.
- Availability – The system is available for operation and use as committed to or agreed.
- Processing Integrity – The system processing is complete, accurate, timely and authorized.
- Confidentiality – Information within the system that is designated as confidential is protected as committed to or agreed.
- Privacy – Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in GAPP.
The SOC 2 examination results in a report to provide to your customers that demonstrates compliance with the selected TSPs.
What is ISO 27001?
ISO 27001 is an international standard for the implementation, management, and maintenance of an information security management system (ISMS) within an organization. Becoming ISO 27001 certified demonstrates that an organization’s ISMS conforms to the standard, providing customers assurance regarding the security of the data and systems. ISO 27001 certification is valid for three years and is performed by an accredited certification body.
Similarities Between SOC 2 and ISO 27001
Base level Controls
There is considerable overlap in the criteria defined in the TSPs and the controls defined in Annex A of ISO 27001. The criteria/controls required by the two standards were developed to mitigate similar risks.
Examples of these similarities include:
- Delineation and understanding of management responsibilities, including information security roles and responsibilities, operational planning and control, and leadership and commitment
- Risk management
- Policy and procedure implementation for information security
- Logical and physical security controls
- Password management parameters
For a full list of the similarities across the standards, the AICPA has developed a mapping of the 2014 Trust Services Criteria to 2013 ISO 27001, which can be downloaded here. It is worth noting that this mapping is slightly outdated. Changes on the SOC 2 side to be aware of include:
- The addition of criteria for confidentiality in C1.7 and C1.8
- 3 has been removed and has been merged into CC3.1 and CC3.2
- Minor changes to verbiage
Because both the SOC 2 examination and ISO 27001 certification are conducted by a third-party assessor, they provide independent assurance that the controls in place meet the necessary criteria. This results in an additional level of confidence that internal assessments cannot provide.
Differences Between SOC 2 and ISO 27001
When determining which audit to select the user of the report should be considered. ISO 27001 is an international standard with its origin in a British standard. For companies that have a large international customer base or future marketing efforts will be abroad, ISO 27001 may be the better option. Conversely, the SOC 2 is a recognized standard in the United States, created and governed by the AICPA. This US based recognition level provides a greater ROI for those customers in the US.
ISO 27001 is based on the plan-do-check-act model that allows for iterative audits, ISO 27001 requires an initial certification year, followed by two years of surveillance audits. The surveillance audits in years two and three test a sample of the controls, therefore, do not require the full time for fees associated with year 1. SOC 2, on the other hand, requires full audits of all controls each year.
Making the Decision
Here are the questions to consider when determining the appropriate audit:
- What types of customers does your organization serve (or want to serve)?
If your customer base or target customer list are international companies or US based companies with international operations, ISO 27001 may be the best option for your organization to meet their needs.
- What assessments are customers requesting?
Many audits conducted by service organizations are driven by contractual obligations. The factors related to the acceptance of the audit or location of the customers may not be a driving factor when faced with a contractual obligation for a particular audit.
- What assessments are your competitors undergoing?
Maintaining your competitive advantage is critical to success. Being first to market with a new audit report or certification may be a differentiator in the market place. Also, keeping up with your competitors’ list of audits also may be a deciding factor when selecting the right audit for your company.
As a licensed CPA firm and ISO 27001 certification body, A-LIGN can conduct both audits for your company so our primary focus is to select the right audit for your needs. For more information regarding SOC 2 and ISO 27001, contact us at firstname.lastname@example.org or call 1-888-702-5446 to have an experienced assessor answer your questions.