Are you deciding between a SOC 2 audit or an ISO 27001 certification?
The Easy Answer: Go with the one your customer is asking for! But what if there is no tie breaker? Which one makes sense? Does one have more caché than the other? Is one easier to get?
The good news is that both the SOC 2 and ISO 27001 security frameworks are well respected. Both have a similar audience - an end user that wants to ensure that your organization has controls or programs in place to protect the security, confidentiality and availability of data. So how do you decide?
SOC 2 (Type 1 OR Type 2)
An attestation report on how principles have been met. An independent auditor's opinion of how well your organization is meeting various security, confidentiality, availability, processing integrity, and/or privacy principles to protect all aspects of your system.
- Well respected in the USA and becoming increasingly respected in Europe.
- You pick the controls you want to test - this makes the audit more amenable to an organization that is still maturing its Security functions. For this reason, it is a bit easier to achieve, especially for younger companies.
- It also includes non security controls which serve as a good tool to build trust with your customers.
- You can achieve a Type 1 report in as little as 45 days.
- This audit covers more than just Security, it also provides access to an auditor’s opinion on key areas of the organization such as corporate governance and vendor management. You can also add in Confidentiality, Availability, Processing Integrity and Privacy.
- Your auditor will test both the design, and for a Type 2, how effectively controls are operating.
- For a smaller organization with revenue on the line, this route is much faster and just as respected.
- The outcome will be a detailed SOC 2 Report.
A certification against a framework. The auditor (or certifier) will be looking at a more binary state: is the requirement included within your ‘ISMS’ or not?
- This certification is more well-known and well-respected internationally.
- It contains a rigid controls framework stating its intention to be applied to an organization of any size. In reality, it can be very difficult (in terms of time and money) for a young, less mature organization to fit within this one-size-fits-all mold.
- It can take anywhere from 9 months to 3 years to successfully implement.
- It is possible to ‘self audit’ rather than certify, which may be accepted by some customers.
- Your organization will be required to establish an Information Security Management System (ISMS), which is a program for establishing, implementing, maintaining, and continually improving their information protection practices.
- The design of the ISMS program will be tested.
- You will receive a one page Certification letter.
The achievement of either framework will both earn your customer’s trust and lead to a solid return on investment. At Strike Graph, we advocate for a risk based approach to establishing a Security program regardless of framework. Our approach supports both SOC 2 and ISO 27001 because the risks, controls, and guidance we provide are all built with an ISO 27001 bend to them. No need to re-map or guess where gaps may be. We have you covered!