SOC 2 vs ISO 27001

We are here to guide you on what SOC 2 and ISO 27001 standards are, which one is right for you, and what you can expect when preparing for these certification types.

The year is 2022. Your company is crushing it. Employees have Yeti mugs with your company’s brand on it. Your sales team members are closing deals so fast that you’re already thinking about that series raise just around the river bend and are contemplating buying some unicorn slippers as a good luck charm (they exist, you’re welcome) . But all of a sudden, the sales screech to a halt. Your sales guys and gals are exasperated as they all come to you saying “The prospect won’t sign until we have either a SOC 2 or an ISO 27001 certification”. You quickly Google these terms, and you see 3 pages of ads for different software platforms that can get you certified in anywhere between 48 hours and 6 months.

We are here to guide you on what SOC 2 and ISO 27001 standards are, which one is right for you, and what you can expect when preparing for these certification types.

Let’s get to it!

What is SOC 2?

Way back in the day (like 12 years ago actually), the AICPA put their heads together and said “Hot dang, there are a LOT of companies out there that are outsourcing entire departmental services, and are completely relying on these third parties. We need to set some sort of standard to audit these yahoos before things get unruly”. Alas, the SSAE 16 standard was born (not to confuse you, but it has since been updated to SSAE 18). It consisted of SOC 1, SOC 2, and SOC 3. We’ll cover the other standards in another blog post, but it hone in on SOC 2: this auditing standard sets the bar for companies that want to show the world (and more importantly, their customers) that these companies meet industry security standards.

The AICPA broke the SOC 2 standard into five categories (they call them ‘Trust Principles’ because it sounds cooler), which are ‘security, availability, confidentiality, processing integrity, and privacy’. This standard is completely optional (it’s not a law that your company has to abide by) and therefore you get to customize it for exactly what your organization needs to brag about. Every single company that is being audited against the SOC 2 standard must align with the Security Trust Principle, but from there, the sky is the limit! Most organizations pursue Security & Availability, which adds controls that showcase your ability to make your service always available to your customers. Confidentiality is a good choice when you are collecting another organization’s sensitive bits and bytes, as this one will help you prove that you are keeping that data confidential (get it?).

Fun fact: SOC 2 is considered a standard (sometimes called a ‘framework’) and is NOT a certification. You pay an auditor to come in and provide an official attestation in the form of a report that you are aligned with the SOC 2 Trust Principles that you decided on prior to the audit. These auditors are licensed CPA firms who are granted their auditing knighthood by the great and powerful AICPA.

Since the AICPA is a US-based entity, the SOC 2 standard is all the rage in the US, but not so much beyond the ole Continental US.

What Is ISO 27001?

ISO 27001 is an actual security certification (you get a physical certificate to put on your fridge) with 7 core requirements around confidentiality, integrity and availability (starting to see some overlap here!). This certification is internationally recognized, and it is especially popular in the EU, Japan, and South America.

This standard has been a round a bit longer as well, starting way back in 2005 and then being revamped in 2013. The governing body, the International Organization for Standardization (ISO), has a ton of different ISO standards and certifications, and there were no creative juices flowing when they came up with the names for these, hence the numbering conventions.

Similar to SOC 2, the purpose of this certification is to give your customers a warm, fuzzy feeling about your security standards and how you’re protecting their data.

ISO 27001 requires that you define what’s called a Information Security Management System (ISMS), which is your documented security program that outlines everything you do to enact security within your organization. The cool part is that you can define the scope to either your entire organization or just certain parts of it, such as a certain SaaS product you offer and any services that support said SaaS offering.

Just like SOC 2, this is not a mandatory standard/certification, but it’s like getting that OG iPhone before all your friends had it: it garners a lot more attention in the form of mature customers that demand security.

So Which One Do I Need?

You can find a lot of fluff out there describing the benefits of each of these services, but here is an easy way to look at it: where are your customers (geographically)?

If they are in the US, then SOC 2 will likely be the standard for you.

If they are outside the US, it’s time to clear a spot on your fridge and set aside a magnet for that ISO 27001 certification.

‘But what random Eden Data blogger, I have customers that fall in both categories!’. Not to worry random blog reader! You can absolutely pursue both SOC 2 and ISO 27001, and there is a ton of overlap! Everyone has a different opinion on the percentage of overlap, but IMHO, it’s about 70%!

In other words, if you start with a SOC 2 attestation and pass your audit with flying colors, you are already over halfway on the journey to slaying the ISO 27001 dragon!

Pro tip: if you find the right auditor, and you have a legit compliance team, you can actually combine the audits and save yourself some cash! The auditors will map the two standards for you, request all pieces of evidence at once (removing the need for you to provide the same evidence twice if you were to do them separately), and issue the SOC 2 attestation report and ISO 27001 certification simultaneously! Talk about a cheat code.

So How Are They Different?

Rather than writing a novella on all of the differences, we broke it down into a handy table:

Go Forth and Conquer

We have a strong feeling that your organization cares deeply about protecting your customers, and you very likely are seeing the trend of just about every company demanding minimum viable security from their vendors. As the US and the rest of the world finally catch up to the EU in regards to data privacy standards, the expectation for robust security at your organization will only increase.

But what is amazing about an investment into things like a SOC 2 or ISO 27001 standard is that there is actual ROI on the investment. These standards are opening doors to more customers, allowing you to go global in some cases, and earning you street cred as you brag about them on your website and beyond.

Don’t look at these compliance initiatives as wasted effort, and instead treat it like a competition with your competitors: every organization is going to have to embrace data security at some point, so why not be that company that leads the pack and revels in the glory while this is still considered a competitive advantage?

Need help getting SOC 2 or ISO 27001 compliant? Here at Eden Data, we can build your program(s) from scratch, and serve as your retained security team and head CISO in order to give you even more competitive advantage. Schedule a demo with us today to find out more!