SaaS Security - SOC 2 vs. ISO 27001 (Or Both)
Why Even Go for “Provable Security”?
Before we can assess risk, we need to define what risk is.
A risk is what happens when a threat acts on a vulnerability to create an impact. For example, a hacker sends your CFO a phishing email and she clicks the malicious link, giving the hacker login credentials for your corporate bank account and bang, you’re out $720,000.
The probably that a risk will manifest has two components:
The inherent risk before any controls (e.g., spam filtering, security awareness education) are in place to reduce/treat the risk
The residual risk that remains after controls are in place
Which should you choose?
The two “Gold Standards” for independent verification of your information security program are SOC 2 and ISO 27001