SOC 2 vs. ISO 27001: Compare Two of Today’s Most Common Security Frameworks

adam

by Adam Markowitz

June 23, 2021
soc2-vs-iso
Security frameworks like SOC 2 and certifications like ISO 27001 are becoming more important than ever but what is the difference?

Security frameworks like SOC 2 and certifications like ISO 27001 are becoming ever more important for any company that processes or stores customer data (which is pretty much all of us these days). In fact, ISO 27001 certifications grew by over 450% in the past 10 years, and is still on the upswing today.

So, what exactly is ISO 27001? How does it compare to SOC 2? And what can you expect if you want to become compliant with one or both? Read on to find out.

What is SOC 2?

SOC 2 is a set of criteria that your organization must satisfy in order to meet industry security standards. Businesses need to design and implement a set of controls in order to accomplish this.

There are five categories, known as trust service criteria, that a SOC 2 audit and resulting attestation report can cover (security, privacy, availability, confidentiality, and processing integrity), but the most common—by far—is security (so common in fact that it’s usually referred to as the “common criteria” and labeled “CC”).

SOC 2 is primarily used in the US and it’s a framework, not a certification. This means your SOC 2 audit and the resulting SOC 2 attestation report are conducted and generated by a licensed CPA firm, not a certification board.

The accrediting body behind the SOC 2 framework is the American Institute of Certified Public Accountants (AICPA), which means that if your clients or customers are all in the US, this is probably the compliance framework you’re more familiar with.

What is ISO 27001?

ISO 27001 is a formal security certification with 7 core requirements (e.g. clauses 4 through 10 in the ISO 27001 standard) focused on confidentiality, integrity, and availability.

It’s also one of the top international security standards, which means an ISO 27001 certification sets your business up for growth in markets like the EU and Japan. Like SOC 2, the goal of ISO 27001 is to give customers peace of mind that your security is up to industry standards.

ISO 27001 certification can cover the Information Security Management System (ISMS) supporting the operations of the entire company, or you can narrow the scope to only cover the ISMS supporting the operations underlying specific product service offerings.

For example, if your customers are specifically asking about your SaaS offering, you can limit your certification to focus only on the ISMS supporting the operations underlying that product.

Like SOC 2, ISO 27001 isn’t mandatory—but market demand for certification has and is projected to continue to grow significantly. And since experts say it can take up to 24 months to become compliant if you’re starting from scratch, we recommend starting earlier than you think you need to (and leveraging automation software like Drata to cut that time by an order of magnitude).

Which Standard Should I Work Toward?

So, here’s the good news about SOC 2 and ISO 27001:

There’s a lot of overlap.In fact, the AICPA’s mapping of SOC 2 and ISO 27001 tells us that the overlap ranges from 53% to as much as 90%, depending on the scope of the certification or audit you’re requesting and the type of business you run.

In other words, if you’re already working on SOC 2 compliance, you’re probably also already becoming more ISO 27001 compliant by the day.

Our recommendation is to get to know both SOC 2 and ISO 27001 and use a tool like Drata to help you become and stay in conformance with both frameworks over time, especially if you plan to serve multiple geographic regions with your business.

Key Differences Between SOC 2 and ISO 27001

SOC 2 and ISO 27001 have a lot of similarities, but here’s a breakdown of important differences:


SOC 2

ISO 27001

Structure

Attestation Standard

International Standard

Geography

US-Based

Global

Avg Timeline

6-12 Months

6-24 Months

Avg Cost of Audit (for startups)

$15K+

$20K+

What is Audited?

The design of controls at a point in time (Type 1) or the design and operating effectiveness of controls over a period of time (Type 2)

The design (Stage 1) and operating effectiveness (Stage 2) of your Information Security Management System at a point in time

Requirements

80-100 controls to satisfy 35 criteria (for Security only)

7 requirements (clauses 4 through 10 in the ISO 27001 standard) with 114 suggested controls

Accreditation Body

U.S. CPA firms must be registered with the AICPA’s Peer Review National Program in order to perform SOC 2 attestations

ANAB (ANSI National Accreditation Board) and the International Accreditation Service (IAS) are the two accreditation bodies in the US

Result of Audit

SOC 2 Attestation Report 

(SOC 2 is not a certification)

Audit report provided to the organizations and an ISO certificate (if certification is granted)

Expiration

You’ll want to receive a new SOC 2 report every year which means you’ll need to be audited every year

Recertification happens every 3 years, but there are surveillance audits after year 1 and year 2 in between recertification audits

Frequency of Audit

Based on the review period (typically annual)

Recertification audit every 3 years and surveillance audit (“monitoring audit”) annually between recertification audits

Information Security Management Systems (ISMS)

Perhaps the most significant difference between SOC 2 and ISO27001 is that the latter requires an Information Security Management System (ISMS).An ISMS is a management system focused on securing information. It reduces your risk of cyber attacks, helps you understand your threat landscape, and protects your confidentiality with policies, procedures, and technical controls defined and enforced within the system.

Your Chosen Markets

If you’re getting requests for a SOC 2 report, chances are you’re working with US companies. If you’re asked for ISO 27001, you’ve probably gone international. If you are planning to expand in one of these markets, you may also need to expand your security program to comply with both.

Requirements, Criteria, and Controls

ISO 27001 has 7 requirements with 114 suggested controls, spanning encryption, firewalls, infosec policies, physical access controls, and much more. ISO 27001 Annex A is where you’ll find the prescriptive list of controls you can put in place to satisfy the requirements.

For example, “10.2 – Demonstrate how the organization shall continually improve the suitability, adequacy and effectiveness of the information security management system” is a high-level requirement. It doesn’t specify how you demonstrate ongoing improvement, but it requires that you do demonstrate it.

SOC 2, on the other hand, is a set of 64 criteria split across five trust services criteria (TSC) or categories. Your organization selects which TSC to include in your audit/report (with security being the foundational one, as it’s the largest in terms of the amount of individual criteria and the only required TSC to include in a SOC 2 audit/report). 

It’s important to note that these criteria are not controls, and so it is up to the organization to design and implement their own controls to satisfy these criteria. This means SOC 2 is much less prescriptive than ISO 27001 and more open for interpretation.

Audit Result: Attestation Report vs. Certification

Once you’ve designed and implemented your controls to satisfy the SOC 2 criteria, you prove it by completing an audit with a licensed CPA firm, resulting in the official SOC 2 attestation report.

There are two types of audits and reports: a SOC 2 Type I audit that covers the design of your controls at a single point-in-time and a SOC 2 Type II audit that attests to the design and operating effectiveness of your controls over a period of time (usually 6-12 months).

Type II is more commonly requested by clients and (obviously) more extensive. Either type of SOC 2 audit results in an attestation report where the auditor gives an opinion on your compliance. The audit is conducted and the resulting report is generated annually – consistent with the period of time the report covers.

With ISO 27001, you’ll need a certification instead, which you receive after a point-in-time audit. The end result is a certificate that outlines the specific requirements met. Recertification happens every 3 years, with annual surveillance audits during the years in between.

It’s worth highlighting that with ISO 27001, you may only get a certificate, which your customers may like, but this doesn’t really describe what’s happening with specific controls at your organization. Therefore, companies often supplement their ISO 27001 certificate with a SOC 2 report, so their customers can also have the benefit of seeing the detailed system description and controls.

Timing

Because of the setup and build time on your ISMS and the requirement to publish a statement of applicability defining the scope of your certification before you start the certification process, ISO 27001 compliance typically takes longer than SOC 2.

Your specific timeline with either framework will depend on the scope of your report/certification (are you focused on one piece or the whole business?) and the measures you already do—or don’t—have in place (are you starting from scratch, or do you already have a robust security program?).

Estimates typically range from 6 – 24 months to become fully ISO 27001 compliant and 6 – 12 months to become SOC 2 compliant. Automation software like Drata drastically reduces the time to getting audit ready and provides the ongoing benefit of ensuring continuous compliance thereafter.

Taking Steps Toward Compliance

The importance of security certainly continues to trend upward. Year after year, customers rank security as a top factor in their decision-making. Individuals campaign for better personal data privacy and protection laws, and new regulations are continuously being developed.

So, whether you’re working toward SOC 2, ISO 27001, or both, making moves toward better security is always a smart choice.

And if you’re using Drata to become and stay compliant, you’re building a foundation that you can use to meet standards across a variety of frameworks. Drata was designed to not only help you get compliant, but also to monitor that security and compliance posture continuously, identifying risks before they become incidents, and staying compliant over time as your organization grows.

Want to explore Drata? Schedule a demo today. We’d love to show you what Drata can do to help you get your security and compliance program off the ground and on autopilot.

The Drata Newsletter

Trusted is Drata’s newsletter focused on the world of compliance, security, data privacy, and everything in between.

Secured

The Drata Community

Screen Shot 2022-07-13 at 9.45 1
Resources for you
PCI Compliance Cost What It Takes to Become Certified

PCI DSS Compliance Cost: What It Takes to Become Certified

Cybersecurity Asset Management

Why Cybersecurity Asset Management Matters and How to Prioritize It

Drata Leadership Update

Drata Brings On New CRO and First-Ever COO to Fuel Hyper Growth

adam
Adam Markowitz
CEO and Co-founder