Last Updated on April 15, 2020
In a recent episode of Pivot Point Security’s “The Virtual CISO Podcast”, host John Verry, our CISO and Managing Partner and an ISO 27001 Lead Auditor, and special guest Dan Schroeder, CPA, CISA, founder and partner-in-charge of Information Assurance at business advisory leader Aprio, did a deep-dive comparison of ISO 27001 and SOC 2.
Of course, one of the top issues these two experts dialoged on was cost. Which costs more and why and when? You’ll still want to watch/listen to the podcast, but this post hits the high points and shares the numbers.
John starts off pretty broad-brush:
“From a consulting perspective, the cost to get you prepped for ISO 27001 or SOC 2 is pretty similar. A broad range you’ll see with “good” consultants is $40,000 on the low end to $100,000 on the high end, depending on the complexity of your environment. That’s to stand up a full information security program that’s going to align with one framework or the other and position you for successful certification.”
In terms of the audit and certification costs, “ISO 27001 is different [from SOC 2] in that it’s a 3-year certification,” John continues. “You do a Stage 1 audit, then a Stage 2 audit, then you issue a 3-year certification that needs to be maintained and proven it’s maintained by way of 2 surveillance audits. So within a year of the issuance of the certification the organization needs to be subjected to a surveillance audit.”
“The initial certification [audit] is not unlike the cost associated with a SOC 2 Type 1 base audit: on the low end mid-$20,000s [for a smaller company with just one location being audited] to mid-$30,000s or more, depending on the scope of the organization, the scope of the business system, the number of locations.”
Then, according to John, the cost of the Year 2 and Year 3 surveillance audits would be “50% to 70% [of the initial audit cost] depending on how you structure things.
…end-to-end cost of achieving and maintaining an ISO 27001 certification versus obtaining a SOC 2 report is fairly comparable, with SOC 2 costing somewhat (generally 15% to 20%) more.
Dan weighs in with a breakdown of SOC 2 costs:
“Most companies that do SOC 2 end up doing a SOC 2 Type 2 report. So it’s not just ‘design and deploy,’ which is essentially the ISO 27001 certification, but also then ongoing operational effectiveness.”
Dan continues: “Because of the system description that’s involved, because of the inspection of all the design of controls and the writing—as well as all the other stuff—it’s a lift. There’s more that is done. You’re looking from the low $40,000s to $75,000; or $90,000 if you’re doing all the Trust Services Criteria. If you were just doing Security or Security and Availability, from a quality firm that’s usually $40,000 to $45,000 to $55,000.
“It’s not that you’re charging more. It’s the nature of SOC 2 and the fact that it’s a test of many. You’re doing a lot more auditing in a SOC 2 [versus ISO 27001]. And there’s a lot more fine-tuning of getting the words right because there’s a lot more words in the report: The system description, the actual documentation of design of the controls—all that wording gets inspected,” summarizes Dan.
John then adds: “In a way, you pay more [for SOC 2] but you are getting more assurance. You know the auditor spent a lot more time verifying you’re secure in a SOC 2 versus an ISO audit.
“The nature of the internal audit requirements for ISO 27001, in fairness to the cost structure of SOC 2, you don’t have the requirement for an ISMS internal audit in SOC 2. So if you’re going to do an ISO 27001 audit for $28,000, you already did your own internal audit, and usually you’re paying an external consultant, and say that external consultant is charging you $12,000 to $15,000 for the audit… So they’re fairly similar,” John observes.
While the deliverables are different (a certification versus a report) and the level of detail is greater with SOC 2, the total, end-to-end cost of achieving and maintaining an ISO 27001 certification versus obtaining a SOC 2 report is fairly comparable, with SOC 2 costing somewhat (generally 15% to 20%) more. Likewise, the cost to build out an information security program to prepare an organization for a SOC 2 or ISO 27001 audit is about the same.
Have questions about ISO 27001 and/or SOC 2 and which is ideal for your organization? Contact Pivot Point Security to connect with an expert.