Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021
  • (0)
    ISO-27001-ISO-22301-blog

    ISO 27001 & ISO 22301 Blog

    Comparison of SOC 2 and ISO 27001 certification

    All over the world, customers are becoming more and more concerned about how vendors working for them can affect their results. As a consequence, they increasingly require evidence showing that the services provided to them are trustworthy, and a way to prove that is by providing a Service Organization Control (SOC) 2 report.

    What is the difference between SOC 2 and ISO 27001?
    • Definition. SOC 2 refers to a set of audit reports to evidence the level of conformity to a set of defined criteria (TSC), ISO 27001 is a standard that establishes requirements for an Information Security Management System (ISMS).
    • Geographical applicability. SOC 2 – United States, ISO 27001 – international.
    • Applicability by industry. SOC 2 – for service organizations from any industry, ISO 27001 – for organizations of any size or industry.
    • Compliance. SOC 2 is attested by a licensed Certified Public Accountant (CPA), ISO 27001 is certified by ISO certification body.
    • What is it for? SOC 2 is intended to prove security level of systems against static principles and criteria, while ISO 27001 – to define, implement, operate, control, and improve overall security.

    This article will present how organizations that need to present an SOC 2 report can take advantage of ISO 27001, the leading ISO standard for information security management, to fulfill its requirements.

    What is an SOC 2?

    SOC 2 is a suite of reports produced during an audit, performed by an independent Certified Public Accountant (CPA) or accountancy organization.

    The content of these reports is defined by the American Institute of Certified Public Accountants (AICPA) and, as such, is usually applicable for U.S. companies. SOC 2 validates internal controls related to information systems involved in provided services, based on five semi-overlapping categories called Trust Service Criteria (TSC).

    Since the content of the reports does not require an objective “pass or fail” component – only the auditor’s opinion, which is subjective – audit reports are not certifiable against SOC 2; they can only be attested as compliant with SOC 2 requirements, and this attestation can only be performed by a licensed CPA.

    There are two types of SOC 2 reports. Type 1 reports cover the description of the services’ systems and show if the proposed controls support the objectives the organization wants to achieve. Type 2 reports also cover the description of the services’ systems and show if the proposed controls support the objectives the organization wants to achieve, as well as whether these controls operate as expected over a period of time (generally between 6 months and 1 year). Examples of objectives to be achieved by using the services’ systems are increase in profitability, decrease of losses/expenses, operational optimization, fulfillment of legal requirements, etc.

    As mentioned, SOC 2 reports focus on how controls fulfill five semi-overlapping categories, called Trust Service Criteria (TSC):

    Security: Information and systems are protected against risks that can compromise them and affect the organization’s ability to meet defined objectives.

    Availability: Information and systems need to be available when required, so the organization can meet its objectives.

    Processing integrity: System processing must provide trustworthy information when authorized, so the organization can achieve its objectives.

    Confidentiality: Information can only be accessed by authorized personnel, so the organization can achieve its objectives.

    Privacy: Personal information is managed in a way that allows the organization to achieve its objectives.

    The content of an SOC 2 audit report should cover:

    • Management assertion: confirmation by the management that the systems related to the provided services are described fairly in the report
    • Auditor’s report: summary of performed tests and results, and the opinion of the auditor about how effective your controls are when mapped to the Trust Services Criteria
    • Systems overview: detailed description of the system or service
    • Applicable Trust Services Criteria: controls in place, as well as the effectiveness of those controls considering the Trust Services Criteria
    • Additional relevant information

    What is the meaning of ISO 27001?

    ISO 27001 is a standard that defines requirements and controls for the systematic protection of information. Applicable to organizations of any size and industry, it comprises 10 clauses and 114 security controls grouped into 14 sections (Annex A). The Information Security Management System, defined in clauses 4 through 10, allows an organization to keep its security levels always aligned with the organization’s desired objectives and outcomes (e.g., market advantage, decrease of losses from incidents, operational optimization, etc.), based on a risk management approach.

    For more information, read this article: Where to start from with ISO 27001.

    What is the difference between SOC 2 and ISO 27001?

    While SOC 2 refers to a set of audit reports to evidence the level of conformity of information security controls’ design and operation against a set of defined criteria (TSC), ISO 27001 is a standard that establishes requirements for an Information Security Management System (ISMS), i.e., a set of practices to define, implement, operate, and improve information security. The table below shows a detailed comparison between SOC 2 and ISO 27001 and their applicability.

    SOC 2 vs. ISO 27001: What are the differences?

    How is ISO 27001 applicable for SOC 2?

    ISO 27001 has at least the following controls that can be used to fulfill the Trust Services Criteria:

    Trusted Service Criteria ISO 27001 requirement / control Additional reference information
    Security A.6.1.5 Information security in project management (1 control) How to manage security in project management according to ISO 27001 A.6.1.5
    A.6 Mobile devices and teleworking (2 controls) How to apply information security controls in teleworking according to ISO 27001
    A.8.1.3 – Acceptable use of assets (1 control) IT Security Policy
    A.11.2 Equipment (9 controls) How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1

    How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2

    A.13 Communications security (7 controls) How to manage the security of network services according to ISO 27001 A.13.1.2
    Confidentiality A.8.2 Information classification (3 controls)

    A.13.2 Information transfer (3 controls)

    Information classification according to ISO 27001
    A.9.1 Business requirements of access control (2 controls)

    A.9.2 User access management (6 controls)

    A.9.4 System and application access control (5 controls)

    How to handle access control according to ISO 27001
    Processing integrity A.14 System acquisition, development and maintenance (13 controls) How to integrate ISO 27001 A.14 controls into the system/software development life cycle (SDLC) (this article is about including security features in software development and maintenance)
    Availability A.17 Information security aspects of business continuity management (4 controls) How to use ISO 22301 for the implementation of business continuity in ISO 27001
    Privacy A.18.1.1 – Identification of applicable legislation and contractual requirements (1 control)

    A.18.1.4 – Privacy and protection of personally identifiable information (1 control)

    Relationship between ISO 27701, ISO 27001, and ISO 27002

    Additionally, as part of an ISO 27001 ISMS lifecycle, during an ISO 27001 audit, with the participation of an independent CPA, you can use the gathered information to build the SOC 2 audit report by following the requirements defined in the Trust Service Criteria (TSC).

    SOC 2 vs. ISO 27001: Which one should you go for?

    In short, it is not a question of ISO 27001 vs. SOC 2, because SOC 2 is an audit report, while ISO 27001 is a standard to establish an Information Security Management System. Therefore, SOC 2 can be viewed as one of the outputs that can be delivered by an ISO 27001 ISMS implementation.

    The proper way to see the relationship between SOC 2 and ISO 27001 is this: although ISO 27001 certification is not mandatory to create an SOC 2 report, an ISO 27001 ISMS can provide, without major additional cost and effort, a solid basis for preparing this report, while also increasing customers’ confidence that the organization can protect their information and support the achievement of their results and desired outcomes in a dynamic way.

    To learn more about ISO 27001 requirements and how to meet them, download this free white paper: Clause-by-clause explanation of ISO 27001.

    Advisera Rhand Leal
    Author
    Rhand Leal
    Rhand Leal has 10 years of experience in information security, and for 6 years he has continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.