What’s the difference between ISO 27001 and SOC 2? Good question.
SOC 2 is becoming increasingly popular as more and more service providers are being asked for tangible evidence that the services they provide – are trustworthy and resilient. This is a direct result of the recent dramatic rise in cyber breaches sourced to the victim organisation’s supply chain.
Consequently, verifying the security integrity of a service provided by another organisation has become a critical issue and a good way to do so is to obtain a third-party verification. But what is SOC 2, and how does it differ from compliance to the ISO/IEC-27001: 2013 information security systems management standard? It’s apples and oranges. Let’s take a look.
What is SOC 2?
SOC 2 is a suite of reports that result from an audit, performed by an independent Certified Public Accountant (CPA) or accountancy firm. The reporting content of these reports is defined by the American Institute of Certified Public Accountants (AICPA). A SOC 2 report essentially validates the internal controls associated with the information systems providing services. The contents of a SOC 2 Report should be comprised of:
- Management Assertion: A statement of confirmation by the supplier management that the systems in scope of the provided services are described accurately.
- Auditor’s Report: A summary of tests performed in the audit and associated results as well as a detailed statement from the Auditor regarding the effectiveness of the supplier’s controls against Trust Services Criteria in scope.
- Systems Overview: A detailed description of the systems and services in scope of the report.
- Trust Services Criteria: Documentation of the controls in place and their effectiveness in ensuring the criteria, in the scope, are met.
- Testing Matrices: Evidence for the effectiveness of the controls. This may be in the form of KPIs, audit reports, penetration tests, incident logs etc.
The Trust Services Criteria
That last point is a critical part of the report. In a SOC 2 report, the Auditor addresses the supplier’s implementation of controls specifically against five Trust Service Criteria (TSC), providing answers to crucial questions:
- Security: Are the services and the systems they run on protected against security risks and potential compromise – so the organisation can achieve its stated objectives?
- Availability: Are the services and systems protected to ensure they are available when required – so the organisation can achieve its stated objectives?
- Confidentiality: Is access to the services and systems they run on limited to authorised personnel only – so the organisation can achieve its stated objectives?
- Privacy: Is personal information appropriately managed – to allow the organisation can achieve its stated objectives
- Processing integrity: Do the systems ensure the trustworthy processing of information when authorised – so the organisation can achieve its stated objectives?
As you can see, all of the criteria are considered in light of role against the organisation’s “stated objectives”. Put a pin in that idea.
The Report Types
The next item to understand is two types of SOC 2 reports: Type 1 and Type 2. A SOC 2 Type 1 Report details the description of the services (and the systems that deliver them) and confirms that the suppliers’ “proposed controls” support the stated objectives of its organisation. Okay then…
A SOC 2 Type 2 Reports also details the description of the services (and the systems that deliver them) but confirms that the deployed controls actually support the organisation’s stated objectives. It goes further by confirming whether the controls perform as intended over a period of time (generally between 6 months and 1 year).
So, where a SOC 2 Type 1 Report verifies that the supplier has deployed controls to meet their stated service delivery objectives – a SOC 2 Type 2 Report verifies that they have deployed controls to meet their stated service delivery objectives and that they are effective.
SOC reports are good for one year from their date of issue by the CPA and require re-attestation annually, thereafter.
The Thing to Remember
Here’s an important piece to remember when it comes to a SOC 2 – the audit is not an objective statement of compliance or non-compliance. The audit report is only the subjective opinion of the Auditor. In fact, there is no template framework for reports, and reports vary from Auditor to Auditor. Reports do not certify compliance to the SOC 2 criteria, they are only the attestations of compliance (opinions) issued by a licensed CPA. Put a pin in that as well.
What is ISO 27001?
ISO/IEC 27001:2013 (or ISO 27001) is the internationally recognised standard that defines a framework of requirements and controls for an effective information security management system (ISMS) published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC).
ISO 27001 was developed to help organisations, regardless of their size or industry, protect the information they process, store and transmit in a systematic, cost-effective way through implementing an ISMS tailored to the business.
The objective of ISO 27001 is to enable the organisation to protect three aspects of information:
- Confidentiality: To ensure that only authorised persons can access information
- Integrity: To ensure that only authorised persons can change the information
- Availability: To ensure that the information is accessible to authorised persons when needed
These objectives are reached by a continual process of identifying, minimising and managing the risks to the organisation’s information through the implementation and integration of an ISMS across the business. The objective then is risk management through security controls.
The ISO 27001 standard is comprised of 10 clauses and 114 security controls grouped into 14 sections known as “Annex A”.
Controls established in clauses 4-10 of the standard are mandatory, which means that they all must be implemented for an organisation to be compliant, while controls from Annex A must be implemented only if declared as “applicable” in the Statement of Applicability.
The end result is a definitive ISMS customised to the organisation’s practices to ensure effective risk management. As end results go, this is hard to beat.
An organisation can obtain ISO 27001 certification by requesting an accredited certification body to perform the audit and, if successful, issue a certification certificate. The certification body certifies that both the mandated requirements (clauses 4-10) and the controls identified by the organisation in the Statement of Applicability have been implemented and produce evidence.
Once a certification body issues a compliance certificate, its valid for three years, during which they will return annually to perform “surveillance audits” to ensure the organisation is both maintaining and maturing the ISMS. Certification then essentially means that the organisation has a proven framework to meet the constantly changing risk landscape.
The Difference: Apples & Oranges
It’s this simple. SOC 2 is a (subjective) Accountant’s attestation that an organisation’s information security controls conform to their stated design and operation objectives against a defined set of criteria (TSC). Apples.
ISO 27001, on the other hand, is an objective international standard that establishes ISMS requirements for an organisation to effectively identify, minimise and manage the risks to their information. Oranges.
Here’s a high-level comparison to help you remember:
This should give you a better understanding of your appetite and if an apple or an orange may be right for you. To learn more about Risk Crew SOC 2 and ISO 27001 services please give us a call or find out more information on our website.