A practical comparison between ISO27001 and SOC2
As part of our work, we often get asked by our clients and customer whether they should pursue compliance with ISO27001, SOC2, both or neither.
I first encountered this question while I was Trust Lead at Eucalyptus. There, we sought ways to showcase our commitment to security, data protection and privacy to our patients across Australia, the EU and the UK.
However, as implementing either ISO27001 or SOC2 can take months, thousands of dollars, and can slow down the operational speed that most start-ups love and enjoy, the decision to commit to implementing one or both of the frameworks can be a difficult one to make.
In this post, I provide some background on these two compliance frameworks (ISO27001, SOC2), outline a framework for assessing whether you should pursue compliance to these frameworks, and highlight key pitfalls to avoid.
What are the ISO27001 and SOC2 frameworks
ISO27001 and SOC2 are audited compliance standards for information security management. This means that they generally establish a system for managing, monitoring and improving information security within an organisation, usually through policies that are read and accepted by employees.
Importantly, as Ross Halileuk highlights in his posts - ISO27001 and SOC2 compliance is not the same as cybersecurity. While some cybersecurity measures can be a byproduct of obtaining ISO27001 and SOC2 compliance, cybersecurity controls are usually more technical and are focussed on reducing the likelihood and impact of an attack (rather than passing a third-party audit).
Generally, ISO27001 and SOC2 certifications are set as requirements by potential buyers of B2B SaaS products. This is because the buyers can get comfort that there is some information security management system within the supplier that has been reviewed and audited by an independent assessor. Some buyers accept ISO27001 and SOC2. Others may require their own security review in addition to (or instead of) ISO27001 and SOC2 certifications.
There are 3 main differences between the ISO27001 and SOC2:
Geography: The ISO27001 standard was established and is managed by the International Organization for Standardization (ISO), headquartered in Switzerland. SOC2, on the other hand, was established and is managed by the American Institute of Certified Public Accountants (AICPA) in the USA. In those circumstances, ISO27001 is generally more widely accepted in non-USA countries while SOC2 is widely accepted in the USA.
Process: ISO27001 has 3 types of audits (internal audit, Stage 1 audit, Stage 2 audit) while SOC2 has 2 types of audits (Type I, Type II). ISO27001 requires 3 stages of point in time audits to achieve certification and then has monitoring audits conducted on an annual basis. SOC2 Type I is a point-in-time audit while SOC2 Type II requires continuous monitoring over a period of time (usually 6 to 12 months).
Cost: Given SOC2 Type I is a fairly narrow point-in-time audit, it is usually cheaper, faster and easier to achieve than ISO27001 or SOC2 Type II.
When should I get SOC2 or ISO27001?
In general, SOC2 and ISO27001 should be obtained when your organisation needs it to win trust from other entities. For example:
You need to win trust to supply your product to potential buyers who require SOC2 and/or ISO27001 as part of their vendor due diligence.
You need to win trust from potential partners who require SOC2 and/or ISO27001 as part of their partner due diligence.
You need to win trust from investors who require some assurance that you have some way to manage and monitor information security within your organisation.
However, as SOC2 and ISO27001 certifications can be expensive, arduous and lengthy processes, we would not generally recommend certification for smaller organisations that are simply trying to improve their cybersecurity posture.
Indeed, other cybersecurity frameworks (eg, Cyber Essentials, Essential Eight, CIS18) are probably more suited for reducing the likelihood and impact of cyber attacks in a more cost-effective manner. In those circumstances, we would only recommend SOC2 or ISO27001 certification if it was absolutely required by other parties.
If I need SOC2 or ISO27001, which one should I get?
If, however, you are required to obtain SOC2 or ISO27001, then you should pursue the certification that is being requested by your third parties.
If you are given a choice, then we would recommend starting with geography:
• SOC2: If you are largely based in the USA and do not have a customer base outside the USA.
• ISO27001: If you are largely based outside the USA and do not have a customer base in the USA.
Most importantly, you can then assess whether the cost to acquire ISO27001 and/or SOC2 certification is outweighed by the potential benefits from certification. It may turn out not to be worth it (you'd be surprised how often that's the case!)
