Introduction
Nowadays, an increasing inclination can be observed when it comes to increment the efforts on security aiming to meet the current regulation requirements. Because of this, it is possible to see how there is a larger demand on the side of clients, as well as on the side of companies intending to demonstrate security within their internal control environment. This entails a parallel rise on the popularity of services like SOC2 and ISO 27001, but which one is better for your company? To be able to address this matter, it is important to first get information about SOC2 and ISO 27001 in order to understand the differences, similarities and how they could complement each other.
Definition of each one
ISO/IEC 27001 is an internationally recognised standard for security management within an Information Security Management System (ISMS). An ISMS is a system which grants that the information security is managed correctly. Furthermore, the management of the information security must be performed through a systematic and documented process that is known to the entire organisation, from the point of view of business risk. This involves a great effort on the side of the organisation, but once deployed provides an extensive control in regards of security, alongside with variables and metrics which allow for measuring its long-term effectiveness, thus allowing its constant improvement.
On the other side, the AICPA (American Institute of Certified Public Accountants) creates a framework named Service Organization Control, with the purpose of creating reports for all the organisations to provide their clients with information regarding the state of the services in relation to security. A SOC2 report is designed to satisfy a wide joint of needs of information over the controls on a service company in a way that the resulting report is completely independent and external to the organisation. SOC2 provides with the criteria to evaluate controls related to security, availability, integrity, confidentiality and privacy known as the Trust Services Criteria.
Similarities
There are several similarities between a SOC2 report and an ISO 27001 certification. First, both of them must provide security with independence of the controls that were designed and implemented to achieve a group of requirements or criteria. Moreover, SOC2 as well as ISO 27001 provide an organisation with a competitive advantage, since both of them are widely recognised internationally.
Additionally, it is worth mentioning that the SOC2 methodology reminds of other methodologies like Common Criteria in the sense that it offers a series of instructions to have in mind from a general point of view. Consequently, the task of the SOC2 auditor is to “adapt” this group of indications to the service organisation, generating a report of prescriptive character.
Differences
Paying attention to the differences between SOC2 and ISO 27001 it is worth mentioning that there are several aspects to bear in mind in order to make a distinction between them. A clear example is the final result of both procedures. The ISO 27001 certification includes a certificate which describes the compliance of the organisation with the standard’s requirements. On the other hand, SOC2 includes a detailed report in which the controls that meet the Trust Services Criteria are described.
Considering the mentioned criteria, it shall be pointed out that they are a group of standard criteria, which can be applied to very different services on different companies. This is the main reason why SOC2 cannot be considered a certification.The ISO 27001 certification considers that the activities of a control mechanism are relevant to the support of the ISMS and focuses on the security risks that may be applicable to subjects such as documentation management, human resources, active management, relationships with suppliers, etc. On the other hand, SOC2 inspects the system’s internal controls, which may include one or more services offered by an organisation and focuses more on policies, procedures, system security and management of the change on information systems. Nevertheless, the defined controls within a SOC2 report provide details in relation to the controls and the environment which can be highly useful for the clients of a given organisation.
In addition, it is worth mentioning that the SOC2 report controls are a subset of the ISO 27001 norm. This exposes the flexibility offered by SOC2 in contrast to the ISO 27001, which is greatly useful for adapting any kind of system of a service organisation.
Finally, from a temporal point of view, the ISO certification consists of a three-year cycle after which a re-certification becomes necessary, while the SOC2 exam covers a single state in time (for the type 1 report) and a period of time (for the type 2 report).
Which one is better?
As a conclusion, it is worth indicating that, from our point of view, none of them is better than the other given that both are excellent compliance efforts for the organisations and can provide competitive advantage to whoever gets them. It shall be the interested company itself who must decide which of both services is more interesting for their commercial and technological goals.
For this purpose, each client must take the decision depending on the regulatory requirements specific to their countries, the requirements demanded by their clients, the field of action of their markets or the services offered by their competitors.
Nonetheless, from jtsec we recommend, whenever possible, to implement both schemes concurrently with the purpose of firmly demonstrating the compromise with the information security by an organisation. Fortunately, the implementation of both controls in parallel entails a substantial reduction of resources in matter of time, effort and cost, providing a larger increase on the organisation’s security.
