A recent episode of Pivot Point Security’s, The Virtual CISO Podcast, featured special guest Dan Schroeder, CPA, CISA, founder and partner-in-charge of the Information Assurance group at business advisory leader Aprio. Dan and host John Verry (Pivot Point Security’s CISO and Managing Partner and an ISO 27001 Lead Auditor) “unpacked” one of the top information security questions on the minds of customers: should we go for an ISO 27001 or SOC 2 attestation?
After discussing pros, cons and costs of achieving ISO 27001 certification or attaining a positive SOC 2 report, Dan and John both wanted to look at the issue from another angle…
… is getting both attestations the best choice for your business?
As John put it, “I think we can agree, having both worked with clients that have both ISO 27001 and SOC 2… Because of the elegance of the two systems and the pros and cons of each, when you combine them together—those are the most secure and best environments I’ve seen.
“So if you really want to do things awesome, the combination of the two frameworks is a little bit unbeatable,” John quips. “You can start with ISO 27001 or start with SOC 2… But if you get to a point where you want to hold your own feet to a fire, the combination of the two…”
Dan interjects, “You’re going to pay a premium as opposed to just one, but it’s not double.”
John puts the costs in perspective: “Look at the cost of a breach or the cost of losing a key client. I’m sorry, but you’re talking about the difference between say $50,000 and $80,000 for your audit costs in a given year—and the cost of a breach is in the millions. It’s a pretty cheap form of insurance for the right firm.”
Dan then enumerates some of the top business benefits of holding both SOC 2 and ISO 27001 attestations:
- Having such a strong security posture could shorten your sales cycle
- The marketing value of dual attestations is “huge”
- Having all that documentation and detail minimizes the time and effort associated with onsite audits and simplifies the process of responding to questionnaires and other due diligence by stakeholders
- As noted above, by having such a robust security posture, you could well avoid the cost, legal and reputational impacts of a data breach
John then adds: “If you’re thinking about doing ISO 27001 and SOC 2, there’s more [project] risk and it extends the timeline to do them both concurrently. Yet all in all there’s a cost savings.
ISO 27001 and SOC 2 have more analogs than differences. Like, you need a scope statement in ISO—that’s a shorthand version of a SOC 2 system description. And in ISO there’s a “statement of applicability”—again, a shorthand version of a SOC 2 controls description. The same concepts are in both so doing them at the same time there’s not a lot of rework.
Dan sums this topic up: “More and more companies we’re speaking to, when we start talking about their needs and which framework to go with, it’s not uncommon for people to say, ‘Dan, when we get the first one done we want to talk to you about doing the other one.’”
Have questions about ISO 27001 and/or SOC 2 and which is ideal for your organization? Or maybe both? Contact Pivot Point Security to talk over your options with an expert.