ISO 27001 vs SOC 2: Which is suitable for my organisation?
By Mark Bird, Last updated: 2022-04-06 (originally published on 2020-12-14)
SOC 2 and ISO 27001 are two of the most prominent security compliance frameworks globally. In this article, Victor, our Security Consultant explains both frameworks, their intent and provide guidance on which framework is more appropriate for your organisation.
As your organisation grows, you might begin to experience customers requesting that you demonstrate that your organisation and its applications are secure. Most likely, the two terms you hear the most are ISO 27001 and SOC 2.
When people in the cloud services industry refer to SOC 2 compliance, they are referring to Service Organization Controls (SOC) 2 Report Type 2 which is a report that looks at the operational effectiveness of the controls throughout a period. There are other variations of the SOC reports (e.g. with SOC 2 Type 1, SOC 1 Type 1). Additionally, SOC 2 Type 2 is the flavour that is most relevant if you are a start-up with a cloud service trying to demonstrate security assurance to your customers. Importantly, SOC 2 is developed by the American Institute of Certified Public Accountants (AICPA).
On the other hand, ISO 27001 is developed by the ISO (International Organization for Standards). ISO is a standards development organisation made up of experts from various national and industry bodies. ISO 27001 (Information Security Management) certifies that your organisation’s information security management system fulfils the ISO 27001 requirements. Like SOC reports, there are other variations of the ISO standards. For example, ISO 27017 and ISO 27018 complement ISO 27001 by providing implementation guidance for security and privacy controls in cloud services, respectively.
What is unique about SOC2?
There are 3 main variations of SOC reports, SOC 1, SOC 2 and SOC 3. SOC 1 is for financial reporting and is not relevant for this article. Essnetially, SOC 2 and SOC 3 are reports based on the AICPA Trust Services Criteria (TSC) and cover Security, Availability, Processing Integrity, Confidentiality and Privacy. Also, SOC 2 differs from SOC 3 in that the former contains more sensitive information and is meant for restricted use by the organisation and its existing customers. Within SOC 2 there is a Type 1 and a Type 2 report. A Type 1 report is a report on the design of security controls for an organisation. Whereas a Type 2 report looks at the operating effectiveness of the controls over some time.
During a SOC 2 Type 2 audit, the auditor requires additional evidence to prove that certain controls or procedure were conducted within the audit period. Such evidence can include screenshots of configurations or logs with the appropriate data (e.g. timestamps).
Service organisations like cloud service providers (CSPs) can be a risk to their customers. Many cloud service providers are the custodians of their customer business-sensitive data. Thus, a security breach of a cloud service provider could mean the compromise of their customers’ business-sensitive information. Due to this inherent risk, prospective and existing customers might want to understand the security controls a cloud service provider has put in place before handing over their sensitive data. This is where a SOC 2 Type 2 reports come. As the report, concerning the five Trust Services Criteria, describes the operating effectiveness of the controls put in place by the cloud service provider to protect their customers’ data.
Through a SOC 2 Type 2 report, a cloud service provider can demonstrate security assurance to their prospective and existing customers.
What is unique about ISO?
ISO 27001 sets the requirements that an organisation’s information security management system must meet to be ISO 27001 certified. Above all, ISO 27001 is concerned with organisational information security risk. At the crux of the standard, are risk management processes such as risk assessment, risk treatment and risk acceptance. ISO 27001 requires organisations to be aware of the unique risks they face and how these risks are being mitigated. Furthermore, the risk management process is an ongoing and iterative process with organisations constantly evaluating their risk posture vis-à-vis the changing threat landscape.
ISO 27001 predates commercial cloud services and was not initially intended as a way for cloud service providers to demonstrate security assurance. However, in recent years, complementary ISO standards such as 27017 and 27018 have been developed to help cloud service providers do just that. ISO 27017 provides control implementation guidance tailored for cloud service providers and users. Its ‘sister’ standard 27018 provides similar control implementation guidance but from a Personally Identifiable Information (PII) and data privacy perspective.
Together, the three ISO standards provide a comprehensive security compliance framework for cloud service providers.
Which one should your organisation go for?
It depends. As the name suggests, AICPA (American Institute of Certified Public Accountants) is USA-centric. Although SOC 2 has grown in popularity, globally, in recent years, one might still encounter difficulties when trying to find an auditor outside the USA. In comparison, ISO 27001, a global information security management standard, has no shortage of auditors.
Lastly, SOC 2 is a highly technical audit that requires the auditee to provide a significant amount of evidence at the control-level. Based on the evidence provided, the auditor then provides a statement (also called an attestation) on whether the service commitments and system requirements would be achieved. A report that describes the tests performed is also provided.
In comparison, ISO 27001 is a management standard that looks at security from a top-down view. Having an ISO 27001 certificate means that your organisation has implemented an information security management system that meets the requirements of said standard. ISO 27001 does not stipulate the controls that an organisation should have but rather leaves it up to the organisation to manage organisational risk based on their risk appetite.
Pragma is a cybersecurity consultancy with global headquarters in Singapore, Australia, Vietnam and the UK. Our strong partnerships and investment in an experienced team are demonstrated in these four solutions; Cyber and Regulatory Consultancy, Incident Response, Cloud Security and Security Testing.