Understanding SOC 2 and ISO 27001 – Part 1

by | Dec 2, 2021 | Security

With the business landscape changing due to continued cyber attacks, it is important to standardize business, data, and security practices.  This not only protects your organization but gives you a strategic advantage in the marketplace. The best way to do that is to pursue compliance with a proven security control framework; two of the most respected are SOC 2 and ISO 27001. Your customers and the entire customer supply chain will see benefits. These two standards have many similarities, but there are a few key differences that may push you toward one or the other depending on what your organization wants to achieve and what the markets you serve. This blog will detail what each standard framework contains, as well as the similarities and the differences.  

What are SOC 2 and ISO 27001?  

SOC 2
SOC 2, which stands for System and Organization Controls 2, is a security control framework created by the American Institute of Certified Public Accountants. It provides standards regarding the security of a company’s processes, systems, and controls when it comes to handling customer data. SOC 2 compliance also requires ongoing audits of the effectiveness of the implementation and adoption of the standard through review of the effectiveness of the documented and actual processes, systems, solutions, and controls in place. SOC 2 has five trust principles: 

  • Security 
  • Availability 
  • Processing integrity 
  • Confidentiality 
  • Privacy 

There are two types of audit procedures: 

  • Type I: Measures your compliance as of a specific date in time, as in the original validation of the SOC 2 standard. 
  • Type II: Measures your compliance over a period of time.  This is usually somewhere between 3 and 12 months. 

As an output of the SOC 2 audit, you receive a SOC 2 report containing the auditor (which is usually a CPA firm) results as it relates to meeting the above trust principles and criteria.  

ISO 27001 

ISO 27001, which stands for International Organization for Standardization 27001, is an international security standard. This standard will guide companies in creating secure systems and processes.  It is part of a larger set of standards created by the ISO in partnership with the International Electrotechnical Commission.  There are three security objectives for ISO 27001: 

  • Confidentiality 
  • Integrity 
  • Availability 

Key Differences in the Two Standards 

  • 27001 provides more specific guidance on controls that you can implement.  
  • SOC 2 is more flexible, allowing the ability to implement any controls as long as they meet the trust principles you specified for your organization 

Five things to consider when deciding between SOC 2 and ISO 27001: 

  1. Target market. Your target market’s location plays a significant role in determining which standard is best for you.  ISO 27001 is the gold standard internationally, so this standard would apply more for an organization with an international footprint.  On the contrary, SOC 2 is not recognized as much outside North America. 
  1. Audit and certification process. Both standards require an audit. However, the auditors, audit practices, and certifications are handled differently.  
  • Certified Public Accountants can perform SOC 2 audits and issue SOC 2 reports, but you want a firm that specializes in SOC 2 audit process to maximize your organizational compliance and adoption.  You don’t have to try and comply with all five trust principles; you can pick and choose those that you’d like to pursue first (such as those that offer the highest ROI) as long as the security principle is among them. You can also choose between SOC 2 Type I and Type II audits. 
  • As for ISO 27001 audits, only ISO 27001-accredited certification bodies can perform these and award ISO 27001 certification. 
  • SOC 2 audits do not issue a certification. Instead, they provide a report that includes the auditor’s opinion. ISO 27001, on the other hand, does issue certification when you meet all of the standards. 
  1. Cost. Both standards will have costs in time and money to implement and certify within your organization: 
  • You’re going to have to invest internal resources in your organization to document and implement systems, processes, and controls in compliance with the relevant standard.  Additionally, you must pay the auditor to perform the audit and issue the report or certification. 
  • ISO 27001 audits tend to cost more than SOC 2 audits since they involve more to achieve and maintain certification and require ISO 27001-accredited auditors.  Since SOC 2 audits offer more flexibility and simplicity, they may cost less depending on the level of resource time to achieve certification. 
  1. Penetration testing requirements. Penetration testing involves a cybersecurity professional attempting to ethically hack into a firm’s system. In doing so, they test the firm’s cyber defenses and identify weaknesses that may need fixing. 
  • ISO 27001 audits require penetration testing as part of certification.  
  • SOC 2 audits depend on the adoption level.  SOC 2 Type I audits usually don’t require penetration testing as part of the procedure, but Type II audits typically will be needed depending on the auditor and customer needs.    

Regardless, a penetration test is good security best practice for all organizations to conduct on at least an annual basis. 

  1. Recertification. Cybersecurity never stops evolving. To that end, both standards require regular audits to ensure you’re still compliant.  SOC 2 requires yearly audits while ISO 27001 requires you to have an audit once every three years.   

As with other ISO standards that you could have deployed at your organization, it is recommended and sometimes required to have internal auditing processes to show improvement and compliance on a regular basis. If you audit internally you can ensure compliance, maintain processes, and continuously approve.   

Conclusion 

SOC 2 and ISO 27001 have a lot of similarities and differences, but both benefit your organization through rigorous security standards that demonstrate your commitment to information security, processes, and policy. Their most material differences come down to cost and market applicability.  You may at one point want to achieve both, but SOC 2 is a good starting point for companies looking to prove their dedication to secure systems and controls, as it’s a bit more flexible. 

 Stay tuned as in our next blog on this topic we will explore HOW to get your SOC 2 report and your ISO 27001 certification.  In the meantime, if you have questions about cybersecurity or controls, reach out to us at info@peters.com.  We are happy to help!