Compare Two of Today’s Most Common Security Frameworks
What’s the difference between SOC 2 and ISO 27001—and which one should you comply with?
Security frameworks like SOC 2 and certifications like ISO 27001 are becoming ever more important for any company that processes or stores customer data (which is pretty much all of us these days). In fact, ISO 27001 certifications grew by over 450% in the past 10 years, and is still on the upswing today.
SOC 2 is a set of criteria that your organization must satisfy in order to meet industry security standards. Businesses need to design and implement a set of controls in order to accomplish this. There are five categories, known as trust service criteria, that a SOC 2 audit and resulting attestation report can cover (security, privacy, availability, confidentiality, and processing integrity), but the most common—by far—is security (so common in fact that it’s usually referred to as the “common criteria” and labeled “CC”).
SOC 2 is primarily used in the US and it’s a framework, not a certification. This means your SOC 2 audit and the resulting SOC 2 attestation report are conducted and generated by a licensed CPA firm, not a certification board. The accrediting body behind the SOC 2 framework is the American Institute of Certified Public Accountants (AICPA), which means that if your clients or customers are all in the US, this is probably the compliance framework you’re more familiar with.
ISO 27001 is a formal security certification with 10 core requirements focused on confidentiality, integrity, and availability. It’s also one of the top international security standards, which means an ISO 27001 certification sets your business up for growth in markets like the EU and Japan. Like SOC 2, the goal of ISO 27001 is to give customers peace of mind that your security is up to industry standards.
ISO 27001 can be a company-wide certification, or you can get one (or several) products or services across the business certified separately. For example, if your customers are specifically asking about your SaaS offering, you can limit your certification to focus only on that product.
Like SOC 2, ISO 27001 isn’t mandatory—but market demand for certification has and is projected to continue to grow significantly. And since experts say it can take up to 24 months to become compliant if you’re starting from scratch, we recommend starting earlier than you think you need to (and leveraging automation software like Drata to cut that time by an order of magnitude).
So, here’s the good news about SOC 2 and ISO 27001:
There’s a lot of overlap.
In fact, the AICPA’s mapping of SOC 2 and ISO 27001 tells us that the overlap ranges from 53% to as much as 90%, depending on the scope of the certification or audit you’re requesting and the type of business you run.
In other words, if you’re already working on SOC 2 compliance, you’re probably also already becoming more ISO 27001 compliant by the day.
Our recommendation is to get to know both SOC 2 and ISO 27001 and use a tool like Drata to help you become and stay compliant with both frameworks over time, especially if you plan to serve multiple geographic regions with your business.
SOC 2 and ISO 27001 have a lot of similarities, but here’s a breakdown of important differences:
|Avg Timeline||6-12 Months||6-24 Months|
|Avg Cost of Audit (for startups)||$15K+||$20K+|
|What is Audited?||The design of controls at a point in time (Type 1) or the design and operating effectiveness of controls over a period of time (Type 2)||The operational effectiveness of your Information Security Management System at a point in time|
|Requirements||80-100 controls to satisfy 35 criteria (for Security only)||10 requirements with 114 suggested controls|
|Accreditation Body||AICPA (American Institute of Certified Public Accountants)||ANAB (ANSI-ASQ National Accreditation Board) in the US|
|Result of Audit||SOC 2 Attestation Report (SOC 2 is not a certification)||ISO Report and/or ISO Certification to be made public|
|Expiration||You’ll want to receive a new SOC 2 report every year which means you’ll need to be audited every year||Recertification happens every 3 years, but there are surveillance audits after year 1 and year 2 in between recertification audits|
|Frequency of Audit||Based on the review period (typically annual)||Recertification audit every 3 years and surveillance audit (“lighter audit”) annually between recertification audits|
Perhaps the most significant difference between SOC 2 and ISO27001 is that the latter requires an Information Security Management System (ISMS).
An ISMS is a management system focused on securing information. It reduces your risk of cyber attacks, helps you understand your threat landscape, and protects your confidentiality with policies, procedures, and technical controls defined and enforced within the system.
If you’re getting requests for a SOC 2 report, chances are you’re working with US companies. If you’re asked for ISO 27001, you’ve probably gone international. If you are planning to expand in one of these markets, you may also need to expand your security program to comply with both.
ISO 27001 has 10 requirements with 114 suggested controls, spanning encryption, firewalls, infosec policies, physical access controls, and much more. ISO 27001 Annex A is where you’ll find the prescriptive list of controls you can put in place to satisfy the requirements.
For example, “10.2 – Demonstrate how the organization shall continually improve the suitability, adequacy and effectiveness of the information security management system” is a high-level requirement. It doesn’t specify how you demonstrate ongoing improvement, but it requires that you do demonstrate it.
SOC 2, on the other hand, is a set of 64 criteria split across five trust services criteria (TSC) or categories. Your organization selects which TSC to include in your audit/report (with security being the foundational one, as it’s the largest in terms of the amount of individual criteria and the only required TSC to include in a SOC 2 audit/report). It’s important to note that these criteria are not controls, and so it is up to the organization to design and implement their own controls to satisfy these criteria. This means SOC 2 is much less prescriptive than ISO 27001 and more open for interpretation.
Once you’ve designed and implemented your controls to satisfy the SOC 2 criteria, you prove it by completing an audit with a licensed CPA firm, resulting in the official SOC 2 attestation report. There are two types of audits and reports: a SOC 2 Type I audit that covers the design of your controls at a single point-in-time and a SOC 2 Type II audit that attests to the design and operating effectiveness of your controls over a period of time (usually 6-12 months). Type II is more commonly requested by clients and (obviously) more extensive. Either type of SOC 2 audit results in an attestation report where the auditor gives an opinion on your compliance. The audit is conducted and the resulting report is generated annually – consistent with the period of time the report covers.
With ISO 27001, you’ll need a certification instead, which you receive after a point-in-time audit. The end result is a certificate that outlines the specific requirements met. Recertification happens every 3 years, with annual surveillance audits during the years in between.
It’s worth highlighting that with ISO 27001, you may only get a certificate, which your customers may like, but this doesn’t really describe what’s happening with specific controls at your organization. Therefore, companies often supplement their ISO 27001 certificate with a SOC 2 report, so their customers can also have the benefit of seeing the detailed system description and controls.
Getting compliant can get pricey and be time-consuming, but SOC 2 typically costs less because it doesn’t include an ISMS. Experts say the cost to become ISO 27001 compliant can be up to about 50% more than SOC 2.
Because of the setup and build time on your ISMS and the requirement to publish a statement of applicability defining the scope of your certification before you start the certification process, ISO 27001 compliance typically takes longer than SOC 2.
Your specific timeline with either framework will depend on the scope of your report/certification (are you focused on one piece or the whole business?) and the measures you already do—or don’t—have in place (are you starting from scratch, or do you already have a robust security program?).
Estimates typically range from 6 – 24 months to become fully ISO 27001 compliant and 6 – 12 months to become SOC 2 compliant. Automation software like Drata drastically reduces the time to getting audit ready and provides the ongoing benefit of ensuring continuous compliance thereafter.
The importance of security certainly continues to trend upward. Year after year, customers rank security as a top factor in their decision-making. Individuals campaign for better personal data privacy and protection laws, and new regulations are continuously being developed.
So, whether you’re working toward SOC 2, ISO 27001, or both, making moves toward better security is always a smart choice.
And if you’re using Drata to become and stay compliant, you’re building a foundation that you can use to meet standards across a variety of frameworks. Drata was designed to not only help you get compliant, but also to monitor that security and compliance posture continuously, identifying risks before they become incidents, and staying compliant over time as your organization grows.
Now that we have those foundations in place, we’ll be rolling out many more compliance frameworks. We started with SOC 2, and now ISO 27001, and other important requirements, certifications, and frameworks are coming soon (and, indeed, the foundation for them is already built in).
Want to explore Drata for yourself? Schedule a demo today. We’d love to show you what Drata can do to help you get your security and compliance program off the ground and on autopilot.
Close more sales and build trust faster while eliminating the hundreds of hours of manual work that used to go into maintaining your SOC 2 report and ISO 27001 certification.