Last Updated on August 28, 2019
Recently we have been seeing a lot of interest among clients and prospective clients in working towards SOC 2 attestation and ISO 27001 certification at the same time. This isn’t unexpected given how much the new SOC 2 framework parallels ISO 27001.
Is this a good idea for your business—or any business? How does the synergy between the two frameworks translate into financial and time savings? Why achieve both in the first place?
While there is more overlap than ever between them, ISO 27001 and SOC 2 still address different needs and markets:
- ISO 27001, being an international standard, is of interest to organizations with multinational footprints that must address the needs of global client and/or regulatory demands. It has a wider scope than SOC 2 and encompasses more aspects of security.
- SOC 2 has a narrower focus but addresses the areas it covers in more depth. It is well known in the US, especially in the hi-tech industry, but less so elsewhere. A benefit of SOC 2 is the attestation takes the form of a report that is updated annually. This gives someone who knows how to read it a detailed picture of the status of your controls.
Because some clients or prospects are asking for one and some for the other, some businesses need both. (Growing, US-based SaaS providers that are moving into the global market fall into this category, for example.)
“…our experience is the overlap between the two, in terms of time and effort, is about 25-50%”
What’s the synergy between the two frameworks in terms of cost, time and effort? If you put one framework on top of the other and look at what’s “the same,” it’s a lot. By the same token, doing both means going deeper in some areas to satisfy SOC 2 requirements than ISO 27001 would require. Likewise, you will be covering areas outside of SOC 2 to address ISO 27001 requirements.
It’s hard to quantify exactly, but our experience is the overlap between the two, in terms of time and effort, is about 25-50%. That is, doing them in parallel would take most organizations about 25-50% less time and effort than doing them in series. So, if each took 100 hours to do alone, doing both would take 150 to 175 hours instead of 200 hours altogether.
A dual implementation would save you comparatively more in terms of money than in terms of time. Take simple scenarios like flying your security partner onsite for an audit or gap assessment. The same plane ticket and hotel stay can cover both efforts for just a bit more cost (e.g., one more night in the hotel).
Similarly, if you did Phase 1 steps for both frameworks at the same time you could create basically one set of documents that would reflect your whole game plan for both certifications, and then down the road at audit time, your partner could look at both sets of controls all at once. Not only would you save money on services, but also it wouldn’t “feel” like as much work.
If your company is likely to need both attestations to address the demands of multiple interested parties, take a close look at a dual ISO 27001 and SOC 2 implementation/certification—it could well be a smart move.
Pivot Point Security has created a program that allows you to achieve dual implementation by fully embracing the economy of scale and enabling you to avoid performing any meeting, deliverable or task twice.
Contact us to start a conversation on what a dual implementation could look like for your company in terms of savings, synergies, benefits, scope of effort and recommended approach.