Last Updated on July 28, 2020
In a recent episode of our show, The Virtual CISO Podcast, host John Verry (Pivot Point Security’s CISO and Managing Partner and an ISO 27001 Lead Auditor) has a frank, funny and in-depth conversation with guest Dan Schroeder (CPA, CISA, founder and partner-in-charge of the Information Assurance group at business advisory leader Aprio) on one of the biggest questions that businesses are asking these days about information security: SOC 2 or ISO 27001—which road do we go down?
Not to toot our own horn but this podcast is one of the absolute best sources of meaningful information on this topic that you will find anywhere. John (an “ISO guy”) and Dan (a “SOC 2 guy”) cover every angle of this issue and give you all the input you need to make the choice with confidence.
This post touches on the “philosophical” differences between SOC 2 and ISO 27001. This is the place to start because where these standards are coming from colors all the activity leading up to an attestation, including what is being attested and the overall cost. Speaking of which, we’ll cover cost/time comparison and other specifics in upcoming posts.
SOC 2 Explained
Dan articulates exactly what’s in a SOC 2 report. It leads off with a narrative (called a System Description) about the company and the service/scope being audited, followed by a description of how the service works and a summary of the controls. In the body of the report, a table outlines details about the Trust Services Criteria (TSC) and associated tests on these criteria.
A SOC 2 system description alone can run from 15 to over 100 pages depending on business complexity. The company also must document “control statements” that explain how they go about providing the relevant controls. “Lots of words involved in this and a lot of wordsmithing to get that right,” says Dan.
Each TSC basically says, “You should do X.” The company thus needs to craft one or more control statements that describe how their control(s) fulfill that criterion. The auditor then expresses an opinion on whether the control actually fulfills the criterion. Controls that are missing or ineffective are called out as exceptions.
Dan summarizes: “So in a SOC 2 review you are looking at the design of the controls to see if they align with what the TSC requires. Then you’re also looking at the operation during a period—design, deployment and (if it’s a SOC 2 Type 2 audit) operational effectiveness.”
ISO 27001 Explained
John points out that ISO 27001 “speaks in many respects to similar criteria that are represented by the SOC 2 TSC.” ISO 27001 is also “supported and embellished” by the ISO 27002 and ISO 27003 guidance, which contribute greatly to the standard’s usefulness.
Even Dan acknowledges that ISO 27001 is “the gold standard” globally in terms of guidance on implementing comprehensive information security controls.
John goes on to say that what fundamentally differentiates ISO 27001 from SOC 2 is the concept of an information security management system (ISMS) and associated governance processes that overarch the security controls described in ISO 27002 or Annex A of ISO 27001.
That view greatly impacts the audit process. The ISO 27001 certification process has two stages. The first stage is all about the ISMS. Only if that passes muster and all nonconformities are addressed is there any testing of operational controls.
According to John, ISO’s view is that “It doesn’t matter if a company is doing change and asset management and authorization or whatever effectively. If the people steering the ship aren’t doing the right sorts of things, all the operational stuff will be unsustainable and ultimately ineffective. ISO says let’s make sure the leadership is in place: a risk management strategy, an approach for monitoring… then let’s talk about operational specifics.”
Strengths and weaknesses
Dan then asserts: “Our interpretation regarding ISO 27001 is it’s not as much about operational effectiveness [as SOC 2]. We look at the ISO Stage 1 and Stage 2 audits as equivalent to a SOC 2 Type 1 audit [which is a point-in-time audit] that’s about design and deployment.”
John responds: “I don’t see ISO 27001 as a ‘point-in-time’ audit as most SOC 2 auditors do, because the evidence we look at extends over the course of a year, and we’ve done an internal audit ahead of time.”
Then John cuts to the chase: “SOC 2 is a much more robust audit [of controls] and that’s why they cost more—because it’s a much deeper dive; a test of many rather than a test of one. In ISO 27001 you audit the management system and then sample the controls because we trust in the management system. Because there’s less of an overarching management system baked into the SOC 2 standard, you do a much more significant sampling to get a better sense of whether the controls are operating effectively over an extended period of time.”
Then it’s “true confessions” time, as these two experienced auditors talk about where the two frameworks fall short.
Dan: “I agree that ISO historically places more emphasis on the ISMS.. but SOC 2 auditors should be doing the same thing.”
John: “I don’t think the ISO audits are a robust as they should be. That’s where I love SOC 2—if you want to drill in… a SOC 2 attestation tells you more.”
Dan: “Paralleling SOC 2 to the ISMS, if you look at the words around leadership, organization, planning and deployment… there are parallels within SOC 2. But I don’t think they are nearly as clearly articulated, especially when you leverage ISO 27003.”
In short, while ISO 27001 and SOC 2 have different strengths and weaknesses, either one represents an unsurpassed attestation of information security effectiveness for organizations that can meet their stringent criteria.
Contact Pivot Point Security to get your questions answered about which attestation is the better choice for your specific business needs.