As those of you in highly regulated industries already know, maintaining compliance is extremely important but it can also seem complex to navigate. If you are relying external partners to manage your data and critical systems, what certifications should they have? What assurances do you have the security best practices are being followed? In this article, we will break down the relationship between SOC 2, Type 2 audits and ISO 27001 certification. How do these relate to your business and which is the right standard for your provider?
Awecomm has gone through SOC audits. In fact, we are currently completing our 2017 Audit that will thoroughly examine our security framework and verify our adherence to that framework for the audit period of November 2016 until end of January 2017.
For those relying on the public cloud, consider exploring ISO 27018, as this is a certificate specific for public cloud providers. Technically, it is not a stand-alone certificate because it is not a Management Standard; however, when completed in conjunction with ISO 27001, it can further solidify the practices of a public cloud provider. Because it is focused on public cloud certification, it has specific requirements unique to providing services in the public cloud (what country the data is stored in, how user ID’s are managed, how data is returned to customer, agreement that data is not used for marketing, specific legal protections for cloud provider and customer, etc.).
As for SOC 2, Type 2 and ISO 27001, there are a lot of similarities and overlap of standards, and certainly some differences as well. Here is an outline that will hopefully help to better explain SOC 2, Type 2 and ISO 27001:
- Independent assurance on the service organizations’ controls designed to meet a specific set of requirements
- Internationally recognized and accepted (SOC 2 has greater focus and preference in North America, and ISO 27001 has greater international focus)
|SOC 2, Type 2||ISO 27001|
|· Detailed audit report specific for service organizations to report on non-financial controls around data security (physical and logical)||· Certificate that specifies the framework for Information Security policies and procedures exists in order to manage risk (security best practices are defined for the organization around the Information Security Management System)|
|· Baseline is ensuring controls meet applicable Trust Services Criteria (variance with how a service organization delivers within the given criteria)||· Baseline is conformance to specific standard requirements|
|· Governed by AICPA (requires a CPA firm to perform the audit and attest to examination opinion)||· Governed by ANSI-ASQ National Accreditation Board (ANAB) performed by ISO Accredited Registrar|
|· Covers a period of time to ensure best practices are adhered to by the organization as defined (Design AND Operating effectiveness)||· Covers a point in time certification looking forward over a 3-year period (Design effectiveness)|
|· Report with details of auditors’ opinion, description of controls, tests of controls, and results||· Single Page Certificate|
A couple of differences to highlight are that ISO 27001 focuses on the control activities relevant to supporting Information Security Management System (ISMS), and is more focused on broader information security risks like HR, documentation, asset management, supplier relationships, etc. The SOC 2 reviews controls for one or more specific services offered by the service organization, and overall more focused on information systems policy, procedures, security, and change management. I believe a key component is that SOC 2, Type 2 report examines not just the design and security controls in place, but also the execution of those over a specified period of time. Basically, how well does the organization follow and execute on what they say they do? The ISO 27001 is a certificate that measures compliance for a particular point in time with a forward-looking 3-year cycle on continuous improvement.
One of the analogies I have heard, and it may be unfair because North America has a stronger preference and understanding of SOC 2, but think of a house inspection. If you were to have a security inspection on your house and you knew the expected standards, you could pass based on implementation of those specific standards. The inspector may require specific types of door locks (i.e. deadbolts), a specific type of alarm system, window locks and outdoor lights (maybe they need to be LED and/or on motion detector). With ISO 2007, you would be certified if you met all of that criteria. With SOC 2, Type 2 you could have some variance in systems – maybe you have outdoor lights, but rather than a motion sensor they are on a dusk-to-dawn timer. If that is deemed within range of the accepted standard, you would be fine. For SOC 2, Type 2 they take it a step further. There is not just an audit of the systems and procedures in place, but validation they are being followed effectively. In the house example, they make sure the deadbolts are locked at the end of everyday (or whenever you specify you will have them locked), that the timers on lights work, the alarm is armed according to process and procedures, etc.
Overall, they are both great standards that help ensure best practices are followed as it relates to security – and provide clients of the service organization peace of mind. In North America, SOC 2 audits are preferred. However, internationally, ISO 27001 is the preferred standard. For the large data centers operating internationally, they will likely have both completed.
No matter which industry space your company is in, it’s extremely important to educate yourself on the security best practices in your industry, and if you don’t employ an expert, you will need a trusted partner to help you navigate the process of making sure your organization’s data and your client’s data is being handled securely.