ISO 27001 vs SOC 2 – Which is better for your organisation?

“Do you have ISO 27001 certification?”, “We only do business with organisations who have SOC2 accreditation”. As a startup you may be asked questions just like this frequently by customers, auditors, regulators, the board, and many others.

But, if there is a choice of ISO 27001 vs SOC 2, which one should you be pursuing? Or should you aspire to achieve both? In this article we provide an introduction to both as a starting point to making a decision about ISO 27001 vs SOC 2 for your startup.

ISO 27001 vs SOC 2: What are the differences?

Both ISO 27001 and SOC 2 are information security standards designed to allow organisations to demonstrate their commitment to information security. They have many elements in common, but they also differ slightly in their scope, requirements and audit processes.

What is ISO 27001?

The ISO/ IEC 27001 certification is an internationally recognised standard for information security management. ISO 27001 has a strong emphasis on the ISMS or Information Security Management System, which requires organisations to take a risk management approach towards the information security threats facing their organisation.

ISO 27001 is jointly managed by the International Organization for Standardization and the International Electrotechnical Commission

What is SOC 2?

SOC 2 is an attestation rather than a certification, that states that an organisation has developed a programme for protecting customer information. In order for an organisation to obtain SOC 2, an external auditor must issue a report or attestation that they approve the programme.

There are two types of SOC 2 reports issued by auditors:

SOC 2 Type I reports confirms that a vendor has an information security programme or control design suitable to meet the relevant Trust Services Criteria.

SOC 2 Type II reports verify that the specific testing procedures on the operating effectiveness of the controls have been met.

In addition to SOC 2, there are also SOC 1 reports which are issued for financial controls (and are therefore not relevant for most companies), and SOC 3 reports. SOC 3 reports use the same audit criteria as SOC 2 reports, but the report is less technical, and more general, suitable for publication. 

SOC 2 was created by AICPA (American Institute of CPAs).

ISO 27001 vs SOC 2 main comparisons

ISO 27001

SOC 2

Geographical scope

International

Mostly North America

Output

Certification

Report/ Attestation

Aimed at

All organisations in any industry

Service organisations in any industry

Auditing bodies

Accredited certified bodies

Any CPA

Certification validity

Three year certification. Interim audits in years 2 and 3

Annual audit

Prescriptive Controls/ Criteria

Information Security Management System

114 controls in 14 areas, plus another 10 management system clauses

Trust Services Criteria

5 criteria areas, only Security is mandatory

Time to complete

At least 6 months

2 to 3 months

The above table sets out the key elements of each accreditation.

Who should get ISO 27001 and SOC 2 accreditation?

ISO 27001 provides a framework of policies and processes around which organisations of any size, in any industry, can protect their information security.

By contrast, SOC 2 is aimed at organisations that provide services and systems to client organisations.

Scope of ISO 27001 vs SOC 2

The scope of ISO 27001 is more extensive than that of SOC 2. ISO 27001 encompasses the entire organisation, their processes and documentation, while SOC 2 is about the service in scope only, the rest of the organisation is not considered in the SOC 2 audit.

A further difference is the way in which they are maintained.

ISO 27001 requires proof of an ongoing information security management programme. ISO 27001 certification is valid for three years, with interim audits in years two and three of the cycle aimed at verifying that the organisation has a full information security management system in place that is regularly reviewed and updated based on changing risk.

ISO 27001 is designed around the Information Security Management System (ISMS) which must address the 10 clauses and 114 controls (Annex A) contained in the ISO 27001 standard. Organisations may exclude selected controls based on a legitimate justification.

The clauses and controls are designed to touch every area of information security, including organisational commitment to information security, risk identification and management, and specific areas of information security including access control, human resources security, secure development practices, physical security, business continuity, incident response, and more.

SOC 2 is an attestation that is renewed each year with an annual audit. Every year, the organisation must prove that a relevant information security programme has been designed (Type I), and that the security controls to protect customer data are in place (Type II).

SOC 2 is more flexible than ISO 27001. In order to receive a SOC 2 report, organisations must demonstrate that they have met the requirements set out in the Trust Service Criteria relevant to their business. SOC 2 defines five trust service principles, security, availability, processing integrity, confidentiality, and privacy. 

Out of these five trust service criteria, only the Security principle is mandatory, and organisations can select other criteria based on their unique circumstances. Each of the criteria has defined requirements (but not controls) that must be met in order to achieve the criteria.

ISO 27001 vs SOC 2 audit process and outputs

Preparation for both ISO 27001 and SOC 2 is fairly similar. Best practice suggests that organisations should carry out the following preparation activity:

  • Carry out a gap analysis exercise against the ISO 27001 Annex A controls, or the SOC 2 trust service criteria
  • Identify the organisation’s information security risks and how those risks are addressed
  • Identify which controls can be excluded (ISO 27001), or which criteria are relevant (SOC 2)
  • Implement any identified actions to close gaps in the information security programme

This preparation typically takes two to three months for SOC 2, and can take six to twelve months for ISO 27001.

An ISO 27001 certification audit is split into two sections. Stage 1 will examine the organisation’s compliance with the clauses set out in the standard, while the Stage 2 audit will examine compliance with the Annex A controls. The final output of the audit will be a pass or fail and certification.

The SOC 2 audit will test the controls defined by the organisation in their information security programme. The output of the audit is a detailed, unique SOC 2 Report, which sets out all of the following: An opinion letter, management assertion, detailed description of the system or service, details of the selected trust services categories, tests of controls and results, and any relevant additional information.

Which is better: ISO 27001 or SOC 2?

ISO 27001 and SOC 2 both aim to achieve the same outcome – assurance that an organisation has an information security programme in place. There is significant overlap between the two, and attaining one standard can support attaining the other.

However, ISO 27001 is an international standard based in Europe, while SOC 2 is more closely associated with North America. Many organisations based in North America, or who aim to provide services to customers in North America will aim to get SOC 2 attestation, but outside of North America, ISO 27001 is much more popular.

Another consideration is that SOC 2  doesn’t contain details about how to implement it. As a result, some organisations may choose to build their SOC 2 compliance programme around the ISO 27001 framework which is more comprehensive and designed to create a more rigorous cybersecurity programme. This may make it possible for an organisation to attain both standards in tandem.

Ultimately, the decision whether to go for one over the other will be based on what your customers want more. However, if you do have to do both, it is worth considering them both in tandem because of the obvious overlaps between the two.

Stay safe