The two leading InfoSec assurance standards are ISO 27001 and SOC 2 but what's the difference?
Even though these are 2 different standards, it is also important to know they are actually very similar standards with approximately 80% overlap. A mapping of their criteria is available on the ICAPA website: https://www.aicpa-cima.com/resources/download/mapping-2017-trust-services-criteria-to-iso-27001
Both standards are used to demonstrate to your customers and end-users that your organization effectively managing information security. Since 2022, most large enterprise will accept either standard interchangeably to meet the basic due diligence requirements prior to using any software with sensitive data.
What's the difference?
There are both technical and methodology differences beyond the scope of what they cover. Perhaps more importantly, there’s varying perceptions and preferences that play a role in their adoption and use in practice.
ISO 27001 | SOC 2 |
Prescribed Controls | Flexible Criteria |
Design only | Design + Operations |
Security only | Security + Operational Criteria |
Certification | System Description with Attestation |
Key Differences are:
1. Prescribed vs Flexible Requirement
SO 27001 has eight mandatory requirements, and 93 (ISO 27001:2022), previously 114 (ISO 27001:2015) predefined control activities, that are considered for all organizations. Justifications of any controls that are excluded need to be provided if they are not applied. The general approach of ISO 27001 places more focus on policies, procedures, and general documentation that may add more business burden
SOC 2 has a set of criteria that are flexible to adapt to the nature of the company, systems and services. That makes it a common choice for SaaS providers with outsourced cloud-infrastructure. SOC 2 can be anywhere from 70 to 150 controls, with those controls defined based on what's most relevant and how they actually apply in practice.
2. Design and Operation of Controls
ISO 27001 is a standard for design and implementation of an information security management system (ISMS) whereas SOC 2 places more focus on how security principles and security controls are in place to address the relevant risks. These risks are considered with respect to the services provided to customers. More regulated enterprise customers like in the financial sector, healthcare sector, generally view SOC 2 as providing a higher level of assurance. Operating effectiveness has become a key consideration with standards like CPS 234, and any security towards personal identified information, where ISO 27001 has been deemed inadequate.
3. Security + Additional Criteria
ISO 27001 focus purely on an information security with separate ISO standards that cover privacy, business continuity and other areas. SOC 2 has optional additional criteria for Availability, Confidentiality, Privacy and Processing Integrity, that can be included in the SOC 2 report to meet broader end-user requirements. The flexibility of SOC 2 means it also works well to combine with other standards, like HIPAA, GDPR, CPS 234, and Consumer Data Right, to name a few.
4. Attestation vs. Certification
ISO 27001 is a certificate confirming compliance and SOC 2 is an attestation report, which provides a "System Description" of the business processes and control practices. The System Description provides additional transparency and verified information to end users as it relates to an organization’s specific business, services and environment. That generally enables reduced security due diligence questions accordingly as those questions of enterprise customers are answered in the description, in a consistent and verified format between organizations which also includes responsibilities relating third-party service providers and the customer(s) and/ end-users of these service to understand these dependencies.
When determining which standard is right for your organization, consider these high-level differences. Many organizations may eventually comply with both standards to cover their broader customer expectations. The more technical/detailed view comparing the two standards is as follows, including practitioner opinions that are more subjective at the end of the table.
ISO 27001 | SOC 2 | |
Governing Body | Accreditation Bodies (e.g. UKAS, ANAB, JAS-ANZ) | American Institute of Certified Public Accountants (AICPA) |
Origination | United Kingdom | United States of America |
Assessor Requirements | (Accredited) Certification Body | Certified Public Accountant (CPA) |
Structure | Information Security Framework | Principles and Criteria |
Scope | Information Security Management System (ISMS) | Services Provided to End Users; Includes Infrastructure, Software, Data, People & Procedures Relevant to those Services |
Focus | Policy and Processes to establish, implement, maintain and improve an ISMS based on design only | Controls to meet Trust Services Criteria based on design (Type 1) and operation (Type 2) |
Assurance Coverage | Information Security Only | Security; Optionally includes Availability, Privacy, Confidentiality & Processing Integrity |
Assurance Approach | Pre-defined; An initial certification is followed by a 3-year period of surveillance audits to maintain the certification | Flexible; The Service Organization decides on the attestation audits to report on control design (Type 1) and operating effectiveness (Type 2) for a chosen date or period of time. This is usually influenced by the end user requesting the SOC 2 report(s) |
Period | Point in time testing during a certification period | Point in time or period of time |
Deliverable | A 1-page certification document confirming the organization has met the requirements for certification. | A Report including the System Description, controls to meet the Trust Services Criteria, tests performed by the auditor (Type 2 only) and the auditor and service organization attestations. |
Practitioner Opinions | ISO 27001 is designed for best practice, in contrast to SOC 2 which follows generally accepted practices. ISO 27001 certification is harder to achieve than a SOC 2 Report. ISO 27001 audits are exhausting from all the face-to-face time. | SOC 2 provides a higher level of assurance by confirming the operating effectiveness of controls over a period of time.
SOC 2 is more relevant to customers as its scope is focused on the systems and services provided to those customers.
There’s a higher level of quality in the SOC review process as it requires a CPA certified firm completing the assessment.
The flexibility with SOC 2 Scope, timing and approach can limit the assurance provided to customers.
|
Which is More Suitable to Your Organization?
Both standards are intended to provide assurance to your customers. There’s three main considerations for what will best satisfy your customers:
Have your customer(s) specifically requested or mandated one of the two standards?
What locations are your customers based?
What industries do your customers operate in?
Customers prefer the standard they are more familiar with. Customers based in Europe tend to prefer ISO 27001, whereas SOC 2 is preferred in the US. Regulated industries (e.g. finance, healthcare) generally prefer SOC 2, while less regulated industries and government agencies generally prefer ISO 27001.
In Singapore and across southeast Asia, there's a large network of ISO 27001 consultants, which we see generally leads to a stronger narrative of support for ISO 27001. Some clients are surprised when an their customers and/ end-users mandates SOC 2 saying ISO 27001 is not enough. It's always best to ask your customers. That way, there's no surprises and you can make an informed choice. The best way to manage the expectation of your key stakeholders, is to assume both standards will be required at some point. Doing them both together at the start can be a great way to cover all bases and achieve efficiencies from the overlap.
Comments