What is the most efficient way to get ISO 27001 certified if you already have your SOC 2 attestation?
It’s not uncommon for an organization that had previously used (somewhat incorrectly) SAS 70 as its primary means of demonstrating its security posture to have (correctly) migrated to a SOC 2 attestation when the American Institute of CPAs (AICPA) cleared up that issue by offering both SSAE 16 SOC 1 and SOC 2 auditing standards.
While SOC 2 is a useful form of attestation, there are certain verticals (e.g., financial services, healthcare, technology, legal) and geographies (non-US) where ISO 27001 certification is the security certification of choice. Thus, we are seeing many SOC 2 audited firms seeking ISO 27001 certification to meet client demand and/or augment their current security attestation.
So how does a company use their existing SOC 2 attestation to make ISO 27001 certification easier?
Let’s begin to answer that question by making the following assumptions:
- The SOC 2 implementation is satisfactory—no gaps, nonconformities, etc.
- The SOC 2 scope/program is identical to the planned ISO 27001 scope/information security management system (ISMS).
- There are no (significant) changes planned or required in the organization, management system, or controls during the audit period for either standard that would change the risks evaluated in the existing SOC 2 Risk Assessment.
That puts a firm in great shape to jump start the ISO 27001 process as it can leverage the System Description to develop the ISMS Scope. If you’re lucky, your SOC 2 Risk Assessment Methodology is solid and you will be able to leverage the Risk Assessment with minimal changes for ISO 27001.
Because SOC 2 is a subset of ISO 27001, you will not get full Statement of Applicability coverage from the SOC 2 report controls documentation—but it will be a pretty solid start. You can then “gap assess” the controls that are missing plus note any deficiencies cited in the System Description and Risk Assessment to develop a Roadmap to ISO 27001 certification. This approach can trim a month or more off the typical time frame it takes to get ISO 27001 certified.
At Pivot Point Security, we are finding that a solid SOC 2 report is a great starting point for ISO 27001 certification. Further, should you decide that you would prefer to keep your SOC 2 post ISO 27001 certification, it’s relatively easy to harmonize the two. If you do so, another great approach is to select an ISO registrar that is also a CPA firm so that you can “align” the SOC 2 and ISO audits to save money and reduce the burden on your organization. Start a Conversation …