Two popular security standards commonly referenced these days are SOC 2 and ISO 27001 certification. These two standards have many shared requirements, especially in how you implement and operationalise certain controls, including policies, processes and the technical solutions you’ve used to meet their requirements (and protect your information).
The reality is that as many as 96% of the requirements stated in both standards overlap. So, if this is the case, how do you decide which standard to go for, if you are beginning the process of improving your security capability without the decision being driven by an external party (such as an industry body or customer market)?
Let’s look at what matters when making this selection, and the requirements that both standards demand you meet.
Scope
SOC 2 and ISO 27001 are similar in that they are both designed to portray trustworthiness in your organisation insomuch that you are attesting to the fact that you will protect the information and systems relating to your customers.
First, let’s look at the overriding principles of each standard. They both entrench the principles of securing information in terms of confidentiality, integrity and availability. The differences lie in which security controls you implement. Both ISO 27001 and SOC 2 state that organisations need only adopt a control if it applies to them, but the approach to implementation is slightly different for each.
The primary difference between SOC 2 and ISO 27001 is that SOC 2 mainly focuses on you proving the security controls that protect your customer data have been implemented. ISO 27001, in addition to this, also demands that you prove you have an operational Information Security Management System (ISMS) in place to continuously manage your InfoSec programme, and there are several controls around proving your management systems are in place and regularly reviewed to conform to auditing schedules.
To achieve ISO 27001 compliance, you must conduct a risk assessment, identify and implement security controls, and then review their effectiveness on a regular basis to remain certified.
In contrast, SOC 2 offers greater flexibility and comprises five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy, but only the Security principle is mandatory. Organisations can implement internal controls for each of the other principles if they desire, but this is not required to obtain certification.
Market Applicability
ISO 27001 and SOC 2 are both reputable security certifications, accepted around the world as proof that you have adequate information security controls in place.
If you conduct business with organisations in the United States, they will likely accept either as attestation to your InfoSec programme, as SOC 2 is well known and widely used in America.
In Australia (and elsewhere around the world) ISO 27001 is much more widely accepted by customers and many will not have heard of SOC 2.
Certification Process
You must complete an external audit to certify against both frameworks. The main difference is in how this process works and who conducts the audit. For ISO 27001, a recognised ISO 27001 accredited certification body must complete the certification. When an organisation passes the ISO 27001 audit they will receive a certificate of compliance. A certificate accompanies this certification.
For SOC 2, a licensed CPA (Certified Public Accountant) performs the audit for certification, and the SOC 2 compliance is documented with a formal attestation.
Cost
These certifications have a similar open cost in terms of your internal resources implementing security controls and gathering the required evidence to prove conformity with SOC 2 or ISO 27001.
While pricing will vary across the industry, depending on the scope of your certification project, ISO 27001 is externally audited. This additional external validation provides the next level of assurance, but it does have a cost overhead.
Certification Renewals
It is customary for both SOC 2 and ISO 27001 certifications to be renewed periodically to remain valid. ISO 27001 needs to be reviewed every 3 years and SOC 2 needs to be reviewed annually.
Project Process and Timeline
The certification process is similar for ISO 27001 and SOC 2, each has three stages to complete.
- Gap Analysis – Conducting a gap analysis is imperative. You need to define which areas of the framework are already compliant and the areas where you need improvements. Whilst conducting the gap analysis, it is advisable to define your security objectives and the areas of your business that will be included.
- Security Controls – Identify which security controls are appropriate for your organisation and take the necessary steps to start implementation. Document your practices and procedures and establish a method for reviewing and improving the processes.
- Audit – The final step is the audit. It is advisable to do an internal audit before the accredited body conducts its audit, if you have the capacity to do this. This allows you to correct any errors before the external audit. When you are confident that your compliance practices are in place, contact a certification body to arrange the external audit.
How long this process takes really depends on how much work you need to bring your practices up to the framework standards. On average it usually takes approximately two or three months to implement SOC 2, and three to six months to implement ISO 27001.
Choosing your Framework
Our experts are happy to discuss either of these security frameworks with you in detail and assist you in making the decision of which path is right for your organisation. We specialise in IT governance, risk management and compliance services, with a particular focus on cyber resilience, data protection, cyber security and business continuity, audits, and risk management, as well as penetration testing and vulnerability assessments.
For more information on which security framework is right for your organisation or to discuss certification, contact Sekuro today to talk to an expert.