Double your ISO 27001 certification with a SOC 2 report effortlessly
You want to improve the management of your information system but you have trouble deciding on the directives to follow, those of the ISO 27 001 standard or those proposed by the AICPA for the SOC 2 report (Service Organization Control 2) ?
Or is your organization's ISMS ISO 27001 certified and you want to add additional controls to address the American market or simply to use your SOC 2 report as a marketing tool giving you a clear competitive advantage?
We have chosen to deal with these two information security and risk management frameworks because they are the most widely used ISMS repositories around the world, each with its advantages and disadvantages.
At the end of this article, you will find a link to a form to obtain a comparative matrix between the requirements of the two repositories. This Excel tool (free, of course) will make it easier for you to implement a SOC 2 compliance project if your ISMS is already ISO 27001 compliant and you want to embark on this adventure.
SOC 2 and ISO 27001 cover very much the same topics, that is, the security controls of processes, policies and technologies intended to protect sensitive information.
According to specific studies, the two benchmarks share between 53% and 96% similarities depending on the TSP. The essential difference between these two frameworks is the way in which the security controls to be implemented are determined.
Indeed, for the two standards, it is up to each organization to establish its declaration of applicability and therefore to choose the controls to be implemented (in particular after a risk analysis). But it's the way of establishing this applicability of controls that differs slightly depending on either benchmark.
ISO 27001 focuses on the development and maintenance of an ISMS, it is a comprehensive method of managing information security practices. To achieve ISO 27,0001 compliance, you will need to perform risk analysis, identify and implement security controls, and review their effectiveness on a regular basis.
As for the SOC 2 report, on the other hand, the rules are much more flexible. The content of the report is defined by the American Institute of Certified Public Accountants (AICPA) and, as such, is generally applicable to US companies. SOC 2 validates the internal controls related to the information systems involved in the services provided, on the basis of five semi-superimposed categories called Trust Service Criteria (TSC): security, availability, integrity, confidentiality and protection of personal data (privacy) , but only the first of them, that is, security, is mandatory.
Also, if your ISMS is less mature, you may well consider starting your compliance program with TSC Security alone, also known as “Common Criteria”. This approach will make your process even easier while getting you on the right track. You can later implement internal controls related to other TSCs but this is not necessary to get the final report.
Whether for SOC 2 or for ISO 27001, you will need to perform an external audit to be certified or obtain a certificate from the auditor.
The only difference in the audit process is the quality of the auditor. An accredited certification body is required to obtain ISO 27001 certification. However, a SOC 2 attestation report can only be produced by an approved CPA (Certified Public Accountant). In reality, most of the auditors approved for SOC 2 are also competent to carry out an ISO 27001 audit. Moreover, many organizations offer you to carry out the ISO 27001 and SOC 2 audit simultaneously, which can be interesting. to pool costs (count around 30% less costs for simultaneous compliance rather than two successive projects. This is of course an average).
Running the two projects in parallel will necessarily save your time since the certification process, in three steps, is the same for ISO 27001 and SOC 2.
In either case, you will need to start by performing a gap analysis to identify the areas of the benchmarks with which your ISMS is already compliant and the areas where you need to make improvements. The matrix that I suggest you download allows you to visualize the overlapping requirements and will make your job easier. For ISO 27 001 as for SOC 2, you will have to define your security objectives and the perimeters of your entity which will be covered by the certification or the report.
Next comes the declaration of applicability, i.e. the identification of the appropriate security controls and the necessary measures to be implemented. This is usually a particularly time-consuming part of the process of formalizing your processes and practices in order to improve them. Clearly, create your documentary repository: policies, procedures, guidelines, operating mode ...
Finally, you can choose in either case to carry out a mock audit, either internally or externally (I recommend this second option if you have the means, it is indeed difficult to be a judge and part).
Finally: the audit.
The duration of the compliance process depends on the gap you initially noticed, the complexity of your processes, the degree of maturity of your information security management system and of course your resources ( internal and external).
SOC 2 versus ISO 27 001
The SOC 2 repository is easier, faster and less expensive to set up and maintain, but it is also less rigorous and less widespread. Furthermore, the SOC 2 report does not require an objective "pass or fail" component, only the auditor's opinion. SOC 2 is not a "certification".
Also, generally (there are exceptions) meeting SOC 2 requirements is extremely simplified if the ISMS is already ISO 27001 certified.
In summary, the cases where doubling your compliance benchmark may be of interest are as follows:
The degree of maturity of the security processes of your information system does not initially allow you to be ISO 27001 certified. You can then start your compliance program with a SOC 2 report focused on security, before venturing into an ISO 27001 approach, which will be made easier.
You are undertaking an ISO 27001 certification process (which can take a long time) and you want to have a "compliance asset" to promote to your prospects and customers midway through.
You are ISO 27001 certified and you wish to address the North American market and more particularly, the Banking, Finance and Insurance sectors.
Keep in mind, however, that we cannot really compare ISO 27 001 and SOC 2 since SOC 2 is an audit report, while ISO 27 001 is a standard for setting up a safety management system. information. There are therefore two ways to double your certification of a SOC 2 report: implement an ISO 27001 certified ISMS to provide a SOC 2 report, without major additional cost and effort, or start a compliance program by producing a SOC 2 report beforehand. to tackle ISO 27001.