SOC 2 vs. ISO 27001

Updated: Sep-20

The two leading InfoSec assurance standards are SOC 2 & ISO 27001. What's the difference?

 

Before going into the what’s different, it’s important to note that they are very similar standards. A mapping of their criteria, is available on the AICPA Website showing ~80% overlap. Both standards are used to demonstrate to your customers that you’re appropriately managing your information security.

 

What’s the difference?

 

Based on the similarities, you would expect end users would accept either interchangeably. Unfortunately, that’s not always the case. There are technical and methodology differences beyond the scope of what they cover. Perhaps more importantly, there’s varying perceptions and preferences that play a role in their adoption and use.

 

SOC 2 vs. ISO 27001

The key differences are:

 

1. Flexible vs. Prescribed Requirements

 

SOC 2 has a set of criteria that are flexible to adapt to the nature of the company, systems and services. That makes it a common choice for SaaS providers with outsourced cloud-infrastructure. ISO 27001 has 114 standard, prescribed control practices, that are considered for all organisations. The general feedback is this prescribed approach puts more focus on policies, procedures, and general documentation that adds more business burden. 

 

2. Design and Operation of Controls

 

ISO 27001 is a standard for design and implementation of an information security management system (ISMS). SOC 2 places more focus on how security principles and operationalised to address the relevant risks. These risks are considered with respect to the services provided to customers. More regulated enterprise customers like in Financial Services and Healthcare, generally view SOC 2 as providing a higher level of assurance based on this risk-based, operational focus. Operating effectiveness has become a key consideration with new standards like CPS 234 mandating it for financial services third-party risk management. Read more about this difference in our post ISO 27001 stamped inadequate for Open Banking.

 

3. Security + Additional Criteria

 

ISO 27001 is purely an information security focus, with separate ISO standards that cover privacy, business continuity and other areas. SOC 2 has optional additional criteria for Availability, Confidentiality, Privacy and Processing Integrity, that can be included in the SOC 2 report to meet broader end-user requirements.

 

4. Attestation vs. Certification

 

SOC 2 is an attestation report, which provides a "System Description" of the business processes and control practices. ISO 27001 is a certificate confirming compliance. The System Description provides additional transparency and verified information to end users as it relates to your specific business, services and environment. That generally enables reduced security due diligence questions accordingly as the questions are answered in the description. It also includes responsibilities as they relate to your third-party service providers, and the customer themselves as a user of your service to help vendor risk teams understand these dependencies.

 

 

Those high-level differences are the main things you should consider when determining which standard is right for you, although many organisations initially or eventually meet both standards. The more technical/detailed view comparing the two standards is as follows.

 

high level differences

 

Which is More Suitable to You?

 

Both standards are intended to provide assurance to your customers. There’s three main considerations for what will best satisfy your customers:

  1. Have your customer(s) specifically requested or mandated one of the two standards?

  2. What locations are your customers based?

  3. What industries do your customers operate in?

Customers prefer the standard they are more familiar with. European customers tend to prefer ISO 27001, whereas SOC 2 is preferred in the US. The more regulated Financial Services and Healthcare industries generally prefer SOC 2, while less regulated industries and government agencies generally prefer ISO 27001.

 

In Australia, there's a large network of ISO 27001 consultants, which we see generally leads to a stronger narrative of support for ISO 27001. This can be dangerous as we see some clients surprised when an Australian or international enterprise then mandates SOC 2 saying ISO 27001 is not enough. It's always best to ask your customers. That way, there's no surprises and you can make an informed choice. The best way to manage the expectation of your key stakeholders, is to assume both standards will be required at some point. Doing them both together at the start can be a great way to cover all bases and achieve efficiencies from the overlap.

 

Book a Meeting with us if you want to discuss further, or jump right into our Readiness Assessment software below. In 60 minutes, this will complete a compliance assessment and guide you on what's required for both standards and any others you select (HIPAA, GDPR, Consumer Data Right).

 

Readiness Assessment

SOC Reporting ISO 27001

SOC 2 & ISO 27001 are the leading standards to provide assurance to customers. They have a very similar focus, but differ in practice...