A potential client was trying to decide whether he should pursue a SOC 2 Type II Service Auditors report or an ISO 27001 certification to address his clients’ requests for third-party attestation. In our first conversation, we had discussed the merits of both options, and had come to the mutual conclusion that ISO 27001 provided greater value based on its more comprehensive scope, broader acceptance internationally, and lower overall cost.
So I was surprised when, the next time we talked, he told me that he had decided to pursue SOC 2. He said he hadn’t realized that one of the advantages of SOC 2 that we hadn’t discussed was that it provided greater assurance because it observed the operation of controls over a sustained period of time (generally 6 months), whereas ISO 27001 was only a “point in time” audit.
My sense is that there’s significant confusion and/or misrepresentation around this issue of “assurance period.” I think the most accurate way to differentiate SOC 2 and ISO 27001 in this regard is as follows:
- An ISO 27001 certification (or surveillance) audit is a “point in time” audit of an Information Security Management System that provides assurance of the operation of the ISMS over a one-year period. Surveillance audits are required post certification to maintain certification.
- A SOC 2 audit is an audit of the technical controls specified in the Trust Services Principles that occurs over the course of the observation period (generally 6 months), which provides assurance of the operation of those controls for the length of the observation period.
On this basis, I would argue that despite the fact that each ISO 27001 audit is technically a “point in time” audit, an ISO certificate provides assurance over a longer timeframe than a SOC2 Type II Service Auditors report.
Further, an ISO 27001 certification audit is not a direct evaluation all of the ISO 27002 technical controls that are integral to the operation of the ISMS. Rather, it is an audit of the ISMS itself, which governs the operation of the ISMS and the environment’s technical controls. An ISO 27001 certified ISMS produces artifacts continuously over the course of the year (e.g., Security Metrics, Incident Response, Continuous Improvements, Internal ISMS Audits, Risk Assessments, technical control output, etc.) that provide significant assurance that both the management system elements of the ISMS and the technical controls that are integral to the ISMS are operating as intended. So despite the fact that a 27001 audit is a point in time event, it is assessing the operation of the ISMS over the course of the entire year.
My argument must have been at least reasonably persuasive, as we kicked off that company’s ISO 27001 certification preparation efforts last week.