If you're part of a startup, or just starting along your Compliance journey, you probably have a lot of questions. You’re likely thinking, “Is Compliance something we have to worry about?”, “Which frameworks are required and which are just nice-to-have?”, and “Why is this so dang frustrating?”
One question we hear a lot is “Do I need to be ISO 27001-certified or do we need a SOC 2 report?”. (Though to be quite honest, most companies just starting to think about Compliance do not yet know the difference between reports and certifications.)
This is a great question. In this post, I’ll explain the similarities, the differences, and which one you should go for. I may even throw in another haiku. If you're really lucky.
But to start, let’s get one thing straight; SOC 2 and ISO 27k are both really important InfoSec Compliance frameworks. Both provide organizations with a strong degree of assurance that their partners and vendors have attained a standardized level of commitment to security—and if a business doesn't have at least one of them, they will inevitably lose deals and customer confidence. But though they have some common themes, they are not interchangeable and should not be viewed as such.
What is ISO 27001?
Let’s start by introducing ISO 27001. First established in 2005 by the International Organization for Standardization, the goal of this framework is to create a systematic standard for security across all industries. Showing a methodology for security is a core element of ISO 27001 and this is accomplished by reviewing the Information Security Management System. This is referred to as the ISMS, which are the company’s policies and procedures, roles and responsibilities, management involvement in information security activities, budget approval, scope, etc., which reflect ISO 27001’s objectives.
What is SOC 2?
Then there is SOC 2. Established by the American Institute of Certified Public Accountants (AIPCA), SOC 2 covers 5 Trust Service Criteria (TSC); Security, Availability, Processing Integrity, Confidentiality, and Privacy. Although organizations can choose the criteria they want to be audited for, the Security Criteria, also called the Common Criteria, is mandatory. Once an audit has been completed successfully, the auditor will present the audited organization with a SOC 2 report, which can and should be given to prospective partners.
How are they similar?
In both frameworks, after some preparation time, an auditor will go through the organization’s evidence (i.e., data shown to auditors to prove they are indeed compliant with requirements) and decide if the evidence shown indicates that they meet requirements. If it does, they will be issued a certificate in the case of ISO 27k, or a report in the case of SOC 2. If they do not, they will be given an opportunity to close gaps or fix mistakes.
The frameworks are clearly similar in goal; SOC 2 and ISO 27k both signal to potential customers and partners that the business is committed to meeting and maintaining rigorous security standards. Both take a lot of effort, and both can be used globally, with some exceptions (more on that below).
So, what is the difference between SOC 2 and ISO 27001?
But even though they have many similarities, don't assume they are the same; Let's explore SOC 2 vs ISO 27001:
- ISO places greater focus on the continual upkeep of the ISMS, to ensure the organization upholds their information security management practices going forward, assuming that if management is properly involved, then the organization really does take it seriously. Thus, the auditor expects to see an information security charter, organizational policy, written procedures and minutes of meetings of the steering committee or management, discussing information security budget, program, etc. SOC 2, in contrast, is focused on ensuring that proper and complete information security management practices were upheld during a previous period of time based on an agreed control environment, which is compared with the Trust Service Criteria.
- Successfully obtaining a SOC 2 report is based on the CPA’s opinion of whether the proper controls are in place and are being met properly, while ISO 27001 is more concerned with the management’s involvement and accountability.
- ISO audits are performed by an accredited ISO 27k auditing body and SOC 2 is audited by an American CPA.
- SOC 2 is typically the more expensive and time-intensive framework, but you may wind up consuming more resources on ISO 27k if you're just establishing your ISMS from scratch.
- In the US, SOC 2 is thought of as more credible and many organizations based in the States will not accept ISO 27k alone. On the other hand, outside the US, many organizations do not recognize SOC 2. This means that your assessment of which one is better for your organization should be based on where your main customer base is, and if you do business both within the US and internationally, it would be wise to have both.
Why not go for both?
The good news is that if you meet one framework, you are not all that far off from meeting the other. ISO 27k and SOC 2 cover a ton of the same security controls and by cross-mapping evidence via automation from one framework to the other, organizations can easily meet both ISO 27k and SOC 2.
That way, you don't need to put your much-needed brain cells towards deciding whether ISO 27001 vs SOC 2 is a better fit for your organization; instead, you can go for both frameworks and satisfy everyone.
About the author
Take the Leap and Enjoy Smart Compliance
Get started with anecdotes in minutes.
