Many organisations today work with multiple customers, vendors, third party service providers. Adding to that cloud adoption is become a norm thereby extending an organisation’s market presence and striking the balance well with local presence and global execution. Such dynamics gives organisations access to a large range of capabilities however the growth of service providers enabling such dynamics for an organisation has also given rise to greater risk exposure. The latest stats show many data breaches and incidents have occurred largely due to third party vendors and supply chain risk .
 2021 Verizon Data Breach report and 2021 OAIC NDB Report
Such increase in reliance on third parties, increase in market demand, and greater exposure to risk has prompted many organisations to seek Service Organisation Control (SOC) reporting from their service providers. In our last article, we explained what to expect in the different types of SOC 2 engagements with Sekuro.
As an expansion of the article, this article provides a further comparison on organisations adopting SOC 2 and ISO 27001:2013 certification in combination to build a Common Control Framework (CCF), to demonstrate adequate risk management practices. As reliance on service providers have grown, the adoption of these two standards has also gained popularity.
The ISO 27001:2013 information security standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management (ISMS) to manage information security efficiently and effectively. The implementation is verified by an accredited certification body.
A SOC 2 focuses on the system-level controls used to secure service providers’ services where SOC 1 focuses on the internal controls that could impact an end-customers financial reporting, SOC 2 concentrates on the protection and privacy of data held and processed by an organisation as a service provider. The report is verified by a Certified Practising Accountant (CPA).
Many service provider organisations have various compliance regimes and standards adopted to demonstrate increased reliability and security of their system, process and ultimately the security of the information they hold. Whilst working with ISO 27001 and SOC 2 together can come with complications, it also requires careful planning and alignment to gain the efficiency and extra edge that organisations are looking for.
SOC 2, designed by the American Institute of Certified Public Accountants (AICPA) is integrated with Community of Sponsoring Organisations (COSO) framework covering Trust Service Principles (TSPs) including:
- Security: The system is protected against unauthorised access and unauthorised disclosure, or damage to systems.
This TSO serves as the Common Criteria for all SOC 2 reports.
- Availability: The systems controls that keep systems available for operations and as per required availability levels.
- Processing Integrity: The system controls perform in a predictable manner, complete, accurate and timely.
- Confidentiality: The system controls protecting confidentiality of the information as defined, committed and agreed
- Privacy: The system controls related to providing security to personal information, its collection, use, retention, disclosure and destruction.
With the latest changes to ISO 27002: 2022 and upcoming changes to ISO 27001, the following section focuses on gaining efficiencies by working with SOC 2 and ISO 27001.
ISO 27001 and SOC 2
ISO 27001, a certifiable standard, is an international standard for implanting a system to manage information security within an organisation. The ISMS upholds the information security fundamentals; confidentiality, integrity and availability of information and apply a consistent risk-based approach to secure organisations’ critical data and its overall management.
SOC 2, released by AICPA, is the reporting standard used to describe how an organisation designs and operates its controls. The controls are described in the framework most commonly known as the Trust Services Criteria (TSC) and related to 5 TSC mentioned above.
SOC 2 assessments are point in time assessments. The assessment includes Type 1 and Type 2 assessment:
- Type 1– assesses the effectiveness of each controls design as implemented on a specified date.
- Type 2 – assesses both the design as well as operating effectiveness of the controls.
The testing requirements of SOC 2 and ISO 27001 differ however there are similarities in SOC 2 TSC and ISO 27001 clauses and Annex A controls. The section below provides some similarities.
However, the SOC 2 requirements have specific requirements that are mandated by the framework and do not necessarily map directly against ISO 27001. Some of these high-level criteria in SOC 2 include:
- CC3.3: The entity considers the potential for fraud in assessing risks to the achievement of objectives.
- CC2.1: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
- CC1.2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
In a SOC 2 assessment, when a deficiency is identified in the design or operating effectiveness of a control, it is referred to as an exception. If the exceptions in the design or operating effectiveness of control are significant enough to disqualify one or more criteria from being achieved, the SOC 2 report will state the finding in the Management ‘s Assertion and Auditor’s Opinion sections that one or more criteria were not met.
An ISO 27001 provides a certificate upon passing of an audit. ISO 27001 findings are referred to as conformities or non-conformities, and an organisation is not recommended for certification if a major non-conformity is identified and until it is resolved to auditors’ satisfaction.
SOC 2 reporting is mainly comprised of:
- SOC 2 attestation report with auditor opinion issued in the report
- Management Assertion
- Description of the entity and its system in scope
- Details testing results
ISO 27001 report on the other hand includes:
- ISO 27001 audit report
- ISO 27001 Certificate – as per the scope of the audit
- Subsequent audit reports are issued during the periodic surveillance audits
ISO 27001 audit reports do not include opinions and provide details on audit scope, audit findings, conformances and non-conformances, and conclusion of the audit. Upon issuance of the certificate the Statement of Application (SOA) version, date, scope, and issuance dates are recorded.
The conclusions reached for a SOC 2 Examination and an ISO 27001 certification also differ.
A SOC 2 Examination does not provide a certification. It is correct to say you recently completed a SOC 2 Examination while it is incorrect to say you completed a SOC2 compliance certification. Further, in a SOC 2 Examination, when a deficiency is identified in the design or operating effectiveness of a control, it is referred to as an exception. If the exceptions in the design or operating effectiveness of a control (standalone or in aggregate) are significant enough to preclude one or more criteria from being achieved, the SOC 2 report will state within the Management’s Assertion and Service Auditor’s Opinion sections that one or more criteria were not achieved (qualified).
Alternatively, an ISO 27001 provides a certification. ISO 27001 deficiencies are referred to as non-conformities, and a certification cannot be obtained if a major non-conformity exists.
SOC 2 Attestation vs ISO 27001 Certification
ISO 27001 is a three-year certification process which includes at least annual surveillance audits (year 2 and 3) conducted by a Certification Body post the initial certification attainment. After the years of certification anniversary, organisations are required to go through a re-certification audit. ISO 27001 audits are point in time risk-based audits using a sampling approach.
SOC 2 attestation and the selected controls testing is conducted based on the period defined in the report. SOC 2 reports provide assurance assessments for the audit period only and require at least an annual audit for the selected controls. Any additional controls and changes in the environment trigger an audit and follow the audit process lifecycle mentioned.
- A SOC 2 Type 1 is a point in time assessment of the design effectiveness of the controls and the reporting clearly states the assessment date.
- A SOC 2 Type 2 report entails testing for a certain period where the testing is carried out on the design and operating effectiveness of the controls for that selected period.
Sekuro | Your trusted single partner for compliance
Trusted by leading organisations across the globe, Sekuro provides advice with accountability, assurance & compliance with credibility, digital transformation with the world’s best technology vendors, and managed services with insight and flexibility. Sekuro consultants have been providing practical guidance to organisations for many years. We help meet and maintain compliance to a broad range of professional standards including ISO 27001 and ISO 9000, PCI DSS and more. Sekuro can be your trusted single compliance partner providing one-stop comprehensive solution by considering both the technical and business aspects to not only enable informed and prioritised decision making but also encompass assessment vectors such as People, Policy, Technology, Cyber Security Products and Third-party to provide one cyber security assessment platform. Our approach is always to bring efficiencies in your compliance regimes, remove redundancies and achieve continual improvement under a one single Common Control Framework (CCF) satisfying all your compliance needs.
From the excellence of our delivery to the integrity of our people, we put care into everything we do and see every client as a #clientforlife.
Prashant Haldankar is a co-founder and the Chief Information Security Officer (CISO) at Sekuro, a global cyber security and digital transformation company headquarted in Sydney, providing end-to-end cybersecurity and digital resiliency services and solutions. Prashant leads the business resilience function globally with extensive experience establishing and maintaining cyber security visions, strategies and information asset protection frameworks for enterprises.