Combine ISO 27 001 and SOC 2 easily



You want to improve the management of your information system but you hesitate between ISO 27 001 or the SOC 2 report which are the main framework for ISMS controls .

What would combining the two standards bring to your business ?

If you want to be enlightened, just read this article.

Stay tuned, you will find a free map of the two standards at the end of this article. It will help you understand SOC 2 criteria and ISO 27 001 requirements. It will also make it easier for you to implement a SOC 2 compliance project if your ISMS is already ISO 27 001 compliant and vice versa .

Scope of the frameworks SOC 2 and ISO 27

Combine SOC 2 and ISO 27 001, why will my business need it?

Scope of the frameworks

SOC 2 and ISO 27001 cover basically the same topics, i. e.  security controls of the processes, technologies and policies in order to protect sensitive information.

According to specific studies, the two frameworks share between 83 and 96% similarities. The main      difference between them is the way that the required controls are identified.

Indeed, for both of them, it is up to each organization to establish its customized statement of applicability and therefore to design the controls considering the scope and the result of a preliminary risk assessment. The binding nature of the controls sightly differs regarding the frameworks : ISO deals with requirements whereas SOC 2 is about criteria. 

What are ISO 27 001 specifications compared to SOC 2 ones?

ISO is a comprehensive method of managing information security practices that focuses on the development and maintenance of an ISMS (Information Security Management System).

To achieve ISO 27 001 compliance, you will have to drive a risk analysis, map them and review your controls in order to measure the efficiency of your ISMS.

The SOC 2 report is more customizable. The content of the report is defined by the American Institute of Certified Public Accountants (AICPA) and, as such, is generally adopted by North American companies. SOC 2 validates the internal control system of the service organization. The report is based on five categories called Trust Service Criteria (TSC, former Trust Service Principles): security, availability, integrity, confidentiality and privacy. Only security criteria are required in the final report.


Also, if your ISMS is freshly made, you should  consider starting your compliance program with TSC Security alone (also known as “Common Criteria”). This approach will make your process even easier while you getting back on your feet. You can implement internal control system related to other TSCs later but this is not necessary to get the SOC 2 report.



How to get a certificate?

External auditors

To get an ISO 27 001 certification or obtain a SOC 2 report, you will need an external audit.

ISO 27 001 certification requires an accredited certification body, whereas an approved CPA (Certified Public Accountant) provides the opinion included in the SOC 2 report. In Europe, most of the auditors approved for SOC 2 are accredited for performing an ISO 27 001 audit certification. Indeed, many audit firms offer you to perform the ISO 27 001 and SOC 2 audit simultaneously, which is interesting for pooling costs (count around 30% less costs for simultaneous compliance rather than two successive projects. This is of course an average estimation).

Three steps to get it!

Running the two projects in parallel will necessarily save your time since the certification process, in three steps, is the same for ISO 27 001 and SOC 2.

  • In each  case, you will need to start by making a gaps analysis in order to identify which points of your ISMS already match with the frameworks and build the mitigation plan needed. The matrix downloadable below allows you to visualize the overlapping areas and will make your job easier. For ISO 27 001 as for SOC 2, you will have to define the scope of the ISMS, the security objectives and security metrics that will be covered by the certification and/or the report.

  • The next step is the statement of applicability, which means the identification the security controls to implement according to the ISMS scope. This is the part of the process where you have to formalize your processes and applicable controls in order to improve them regarding the framework. In other words, this is where your repository is created: policies, procedures, guidelines, operating methods, etc.

  • Finally, you can choose to carry out a mock audit, either internally or externally (we recommend the external option if you feel financially able to do so, it is indeed difficult to be both the judge and the jury)

How long does it take to get certified?

Various factors will affect the duration of the compliance process:

  • the gap that you initially identified,

  • the complexity of your processes,

  • the degree of maturity of your information security management system

  • your resources (internal and external)

Allow for between 9 to 12 months in most situations.  




Key points :

SOC 2 versus ISO 27 001

The SOC 2 standard is easier, faster and therefore less expensive to set up and maintain than ISO 27 001, but it is also less rigorous and less widespread. In addition, there is no "passed or failed" with SOC 2, but only the auditor's opinion on the suitability of the controls. It is not a " certification ”.

Generally, meeting SOC 2 requirements is greatly simplified if the ISMS is already ISO 27 001 certified.


When would you double your compliance framework?

In some cases, it could be interesting to go for both SOC 2 and ISO 27 001 compliance programs:

  • The degree of maturity of the security processes of your information system does not allow you, at first, to be certified ISO 27 001. So you can  start your compliance program with a SOC 2 report focused on security, it will facilitate an ISO 27 001 certification in the future.

  • You are implementing an ISO 27001 certification process (which can take a long time) and you want to have a business advantage before being ISO 27 001 certified. A SOC 2 report is easily midway reachable.

  • You wish to address the North American market and more particularly, the Banking, Finance and Insurance sectors.

In short...

Finally, there is two ways to consider your compliance program: provide a SOC 2 report from an ISMS already certified ISO 27 001, without major additional cost and effort, or start an ISO 27 001 compliance program and producing a SOC 2 report at mid-point.