The cybersecurity battle for the ages might not be the bad guys vs the security team. It actually might be SOC 2 vs ISO 27001!
This is the question most companies will ask themselves before they even get to the bad guys vs security team part. Thankfully, the answer to the question is easy:
SOC 2 and ISO 27001 take two different approaches to the same problem. Both will have you improving your security program, but in different ways. It’s important to understand the differences between the two, even if your ultimate decision might be the result of something else altogether.
SOC 2 vs ISO 27001 – Two Approaches
While both SOC 2 and ISO 27001 will commonly be referred to as “certifications,” technically only ISO 27001 is one. SOC 2 is actually an attestation. While this might seem semantic, it actually reveals the different approaches the two certifications take to cybersecurity compliance. (I will refer to both as certifications for the rest of this document to keep the grammar simple.)
ISO 27001 is a proper certification. ISO certifies that an organization is following a prescribed set of cybersecurity controls. There isn’t a huge amount of room for variation between different programs at different companies.
ISO 27001 is cybersecurity prescribed.
Meanwhile, SOC 2 compliance comes in the form of an attestation report. The American Institute of Certified Public Accountants (AICPA) publishes guidelines on what a cybersecurity program should accomplish. Then, it’s up to the company to design and implement controls that meet those objectives. The attestation report is the opinion of the auditor on the quality of the controls used and how well the company sticks to them.
SOC 2 is cybersecurity customized.
Both compliance certifications ultimately work towards the same goal, and have significant overlap. An organization that has received either a SOC 2 or an ISO 27001 has clearly done a lot of work on their cybersecurity program. Both evaluations focus on good processes such as managing access control, change control and many good technical controls.
But their different approaches ultimately yield some key differences that you should consider when comparing SOC 2 vs ISO 27001.
SOC 2 vs ISO 27001 – Practical Differences
The customized vs prescribed nature of SOC 2 vs ISO 27001 plays out in a couple of different ways.
AICPA SOC 2
SOC 2 gives you many options to build your program. There is one required area of focus (Security), plus four optional ones (Availability, Processing Integrity, Confidentiality, and Privacy) to make up the five Trust Services Criteria. Choosing which five Trust Services Criteria you want to meet is an important part of preparing for a SOC 2 audit.
Further, you can decide whether you want to do a SOC 2 Type 1, which evaluates your security program at a single point-in-time, or a SOC 2 Type 2, which evaluates your security program over a period of time (usually six to 12 months). That said, SOC 2 Type 2 is viewed as more valuable and most companies will get a Type 1 first while working towards a Type 2.
The customizability of a SOC 2 program means that it’s important you read the audit report to confirm there is a good program in place. It’s possible for someone to get a SOC 2 attestation with a crummy program – the final report just won’t have nice things to say about the company getting it.
As a bonus for the pandemic world, SOC 2 audits can usually be performed virtually.
As mentioned earlier, you meet ISO 27001’s required controls and get a certification that tells people exactly what you’re doing.
The specificity of the ISO 27001’s approach means there is a heavy focus on documentation. Policy documentation is important for both SOC 2 and ISO, but ISO takes it to another level. It’s very important that your documentation is robust and thorough to successfully get the certification.
The nice thing about ISO 27001’s prescriptive nature means that an ISO 27001 certification speaks for itself. If your company is ISO 27001 certified, it’s ISO 27001 certified. Further digging isn’t as important as it is for SOC 2.
ISO 27001 also has a focus on performing the audit in person. ISO values the time that the auditor spends on site with the company. This is especially true for companies with on-premises servers.
At the end of ISO 27001, the company gets a certificate on what was covered but ISO 27001 does not include a report explaining the program.
Which cybersecurity audit framework should I pick?
The biggest decision criteria for most companies is going to be where their customer base is located. This might seem odd for something like cybersecurity, but it makes a lot of sense when considering the return on investment into a cybersecurity program.
While one (very important!) return on investment is reduced risk of cyber attack, the other, more tantalizing reward is increased sales. As midsize B2B companies begin to grow, they are likely to have potential customers asking them to meet one of these two cybersecurity certifications to close the deal.
Creating a good security program for either SOC 2 or ISO 27001 will significantly reduce your risk of being compromised by a cyber attack. They both do the job, so are functionally equivalent in that regard. The biggest difference in return between the two is which one will lead to greater sales. The answer to that question is once again:
Specifically, it depends on where your customer base is located. ISO 27001 is the preferred standard in Europe, while SOC 2 is the trend in the US. If you do a lot of business in both regions – good for you – but you might need to meet both certifications!
Whether you select a SOC 2 or ISO 27001, the organizational commitment will benefit your organization’s security, help protect your customers’ and employees’ data, and improve how prospects perceive your company.
Watch the video below for a quick review!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.