SOC 2 or ISO 27001? Wrong question.

ISO 27001 and SOC 2 can be harmonized to form a comprehensive, well-rounded information assurance program that is worth more than the sum of its parts. To reap the full benefits of harmonization it is important to partner with a provider that has deep expertise in standards and information security, and has a proven framework for harmonizing audit and compliance protocols.

ISO 27001 and SOC 2 are complementary when implemented in a coordinated fashion, providing a comprehensive program for managing and validating information security over time.

ISO 27001 is the international standard for information security management systems (ISMS). It provides a strong foundational approach to the management of information security that allows companies to approach risk as an organization.

ISO 27001 certification includes:

• An optional pre-assessment
• A two-stage certification audit
• Ongoing annual surveillance audits.
• An ISO 27001 Certificate tells the outside world that the standard has been implemented.

An SOC 2 report attests to a service organization’s controls as they relate to security, availability, processing integrity, confidentiality and privacy – the five categories that make up AICPA’s Trust Services Criteria.

SOC 2 reports address:

• Design of controls to fulfill SOC 2 requirements (relative to relevant AICPA’s Trust Criteria categories )
• Whether those controls are deployed
• Whether those controls are operating effectively over a period of time (typically 6 or 12 months, but sometimes less)

Under SOC 2, service organizations and their auditors select the Trust Services categories and associated criteria that are appropriate to the services they perform. The SOC 2 framework can be expanded to include criteria from other compliance reporting standards, such as HIPAA, PCI DSS, ISO 27001, CSA, NIST, or the New York State Department of Financial Services Cybersecurity Requirements. As a result, a SOC 2 is one of the most highly flexible risk management reporting protocols and can be tailored to address myriad specific non-financial reporting requirements in areas such as cloud services, healthcare, title agents and financial services.

For many vendors and business partners, ISO 27001 Certification is enough to provide peace of mind regarding your information security management systems. Therefore the certification can be very useful for marketing.

SOC2 reports, on the other hand, provide detailed report on day-to-day operational design and effectiveness. They are so detailed that most organizations don’t share them until a contract or NDA is in hand. Therefore, SOC can provide the specificificity to satisfy due diligence requirements and  close business.

Is ISO 27001 and SOC 2 harmonization right for you?

Information assurance (IA) is no longer the sole purview of IT professionals. IA is now a relevant topic of concern for anyone providing marketing, sales, compliance, and legal support for service organizations. One’s ability to prove security, confidentiality and privacy compliance is a key competitive differentiator, not simply a box to be checked under “risk management.”

Keep in mind that the organizations requesting a particular compliance standard may not even know why they’re asking for one framework over another. For example, SOC standards are naturally more relevant in North American markets since they are administered by the AICPA (American Institute of Certified Public Accountants). Likewise, ISO standards evolved in the 1980s out of the British Standards Institute and grew to become internationally recognized.

Thus, the geographic legacies of each set of standards often dictate an organization’s preference more than objective comparisons. This states a strong case for having both ISO 27001 and SOC 2. Service organizations that choose this path not only demonstrate their commitment to information security, they eliminate geographic bias and achieve global market appeal.