Last Updated on July 28, 2020
In the a recent episode of our show, The Virtual CISO Podcast, host John Verry (our CISO and Managing Partner and an ISO 27001 Lead Auditor) talked in-depth with guest Dan Schroeder (CPA, CISA, founder and partner-in-charge of the Information Assurance group at business advisory leader Aprio) on one of the biggest InfoSec questions out there right now: ISO 27001 or SOC 2—which should you pick?
One thing Dan and John completely agree on is that that’s not the right question to ask. Start by thinking about your business needs and let that analysis guide your decision.
Dan says it beautifully: “It all comes back to, what are you looking to achieve? Who are your customers? What do they need from you? What are you being asked for?”
Many companies seek information security attestations for their clients’ peace of mind, or because proof of a robust security posture is contractually required. But many also want to leverage the process for their own operational risk management.
John elaborates: “What do you need to convey externally for assurance purposes? Is it a logo or two on your website and marketing materials? Is it a logo that links to a certification or a report? Are all your clients asking you for an ISO 27001 certification and they don’t mention SOC 2—or vice versa?”
Dan interjects: “Do you have clients in financial services and they want to do on-site audits and look at lots of details, and they’re already giving you very detailed surveys and questionnaires? If you present those details in a SOC 2 report, that [could] reduce if not eliminate the burden associated with these onsite audits and surveys.”
Another thing both these experts agree on: If a stakeholder asks for a SOC 2 report and you hand them an ISO 27001 certificate, or vice versa, that will be acceptable more than 90% of the time.
And as John points out, “People find ways to make the two frameworks more like each other. For example, the SOC 2 level of detail can be a ‘pro’ if your clients are asking for details. Or it can be a ‘con’ if things went wrong in your audit.
“Or with ISO 27001, one of the pros is, ‘It’s just a certificate.’ And one of the cons is, “It’s just a certificate.’ Some of our clients that have ISO 27001 certifications create more robust reports by doing something like a Shared Assessments’ Standardized Control Assessment (SCA) as part of their ISMS internal audit, and just handing [stakeholders] the SCA,” John adds.
Either of the two frameworks offers flexibility and extensibility to help meet current or future needs. For example, the ISO 27000 family of standards includes multiple “add-ons” that help address cloud security risk (ISO 27017/27018). Likewise, the new ISO 27701 “certifiable extension” to ISO 27001 helps convert your ISMS into a privacy management system.
SOC 2 is designed around categories of Trust Services Criteria (TSC). The Security category is the minimum requirement for any SOC 2 report and includes security and governance controls. Beyond that, the scope of a SOC 2 audit can encompass Confidentiality, Processing Integrity, Processing and/or Availability.
For example, many SaaS providers doing SOC 2 combine Security and Availability because, as Dan quips, “If it isn’t available, it’s not much good—so Availability is a fundamental requirement for SaaS.”
“If it’s a black box and there’s some complicated calculations that go on in there, there needs to be some understanding of what’s coming out the other end. Then Processing Integrity makes sense,” Dan elaborates.
In summary, either SOC 2 or ISO 27001 offers a wealth of attestation options that businesses can leverage downstream of their initial audit process if need be. So, as Dan puts it, “Don’t let the tail wag the dog.” Focus on what you need for risk management and for conveying assurance, and choose a framework based on pros and cons for your business specifically.
Have questions about ISO 27001 and/or SOC 2 and which is ideal for your organization? Contact Pivot Point Security to connect with an expert.