The new SOC 2 Trust Services Criteria (TSC), which the AICPA updated back in April 2017, are now required for SOC 2 reports as of December 15, 2018. These updates reflect the biggest change to the SOC 2 criteria to date.
- New “buckets” parallel ISO 27001 – The new TSC integrates the familiar SOC 2 security, availability, processing integrity, confidentiality and privacy “buckets” with the COSO 2013 framework, which closely parallels ISO 27001.
- Emphasis on risk – There is overall a much stronger emphasis on addressing cybersecurity risk, which also brings SOC 2 closer to ISO 27001 in its scope and focus.
- SOC 2 Change Management – Some of the core elements of ISO 27001, that are now part of the SOC 2 world for the first time, relate to risk assessment, governance and top management involvement in establishing security criteria. All these go beyond controls and may require significant shifts in organizational culture.
While the question, “Should my company get an ISO 27001 certification or a SOC 2 report?” still might take some due diligence to answer, the recent SOC 2 update changes the playing field for the comparison.
What the SOC 2 Changes Mean For You
Based on early experience and conversations with industry peers and potential clients, a consensus is emerging that the addition of new criteria will significantly increase the cost and time required to achieve and maintain a SOC 2 attestation. The changes will also significantly increase companies’ preparation time for a SOC 2 Report Readiness project.
Formerly, the cost associated with a SOC 2 audit and an ISO 27001 audit were roughly equivalent. But now a SOC 2 audit is likely to cost 30% to 50% more than before. The jump in cost and effort isn’t surprising, given the scope change required to put in place and demonstrate adherence to governance, risk assessment/risk management, senior leadership involvement and other new SOC 2 criteria.
It seems clear that establishing an ISO 27001-compliant information security management system (ISMS)—whether certified or not—would likely make a SOC 2 attestation straightforward to achieve. In fact, what businesses need to establish, implement, maintain and improve in terms of processes and controls is now so similar between the two frameworks that moving towards ISO 27001 certification could arguably be the fastest, most cost-effective and most predictable path to a SOC 2 attestation.
Why would anybody seek ISO 27001 certification as a stepping stone to SOC 2?
One reason is that the path to ISO 27001 certification is well established in the industry, whereas the path to SOC 2 is currently new and yet to be defined. Very few consultants (or in-house experts) have experience with the new SOC 2 guidance, and there are not a lot of examples out there to learn from yet. Even mature organizations may encounter situations where they aren’t entirely sure how to move forward towards the new SOC 2.
Why would a company want to work towards ISO 27001 and SOC 2 in parallel?
Simple cost/benefit: the total cost over time to achieve both could be fairly close to the cost of achieving ISO 27001 certification alone, while the ability to meet the demands of stakeholders regarding either attestation could be a significant competitive differentiator. Conversely, organizations pursuing SOC 2 without the benefit of the ISO 27001 approach may run into trouble trying to remediate findings that would be addressed naturally as part of ISO 27001 certification.
If your organization is considering pursuing a SOC 2 or ISO 27001 attestation, I invite you to contact Pivot Point Security. Our consultants have helped clients align with both frameworks, and we can help you decide where to begin and how to proceed, whatever your starting point.