In June 2023, URM delivered a webinar where it compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2. The webinar took the form of a Q&A session where Lisa Dargan (LD), Director, represented ISO 27001 and Chris Heighes (CH), Senior Consultant, represented SOC 2. The Q&A session was chaired by Lauren Gotting (LG) New Business Manager at URM.
In the first of 3 instalments, Chris and Lisa will be addressing the following questions:
- What are ISO 27001 and SOC 2?
- Do ISO 27001 and SOC 2 have sister standards?
- What are the purposes of ISO 27001 and SOC 2?
- How are ISO 27001 and SOC 2 structured?
- What are the main benefits of adopting ISO 27001 and SOC 2?
What are ISO 27001 and SOC 2?
LD – In a nutshell, ISO 27001 represents best practice in terms of implementing and addressing information security management. Why best practice? It's an international standard from ISO. What does that mean? The way that ISO standards are developed is that a group of specialists are assembled, including implementers, experts and academics, and they draft what they deem to be best practice in that field. That draft is circulated to anybody and everybody to comment on and all comments received are taken on board. Once it’s gone through a number of iterations, with possibly another ‘public’ consultation, it is finalised and then published. As an international standard, ISO 27001 has been implemented across the globe without exception and is generally acknowledged as best practice in terms of information security management.
CH – SOC, and more specifically, SOC 2, is an information security standard that's been developed by the AICPA, the American Institute of Certified Public Accountants. As the name suggests, the organisation is heavily involved in the assurance of financial accounting in the American market. It identified that there was a gap in terms of organisations which wanted to obtain assurance on the maturity of the information security capabilities of their suppliers. Essentially, the AICPA has developed the SOC 2 standard to fill that gap. Currently, it's very much focused on the American marketplace and it provides a method for an organisation to provide its clients with a level of assurance in terms of the maturity of the information security processes and the controls it has in place.
Do ISO 27001 and SOC 2 have sister standards and, if so, how many are there?
LD – ISO 27001 is part of the ISO 27000 family of standards. In reality, the 2 most popular are 27001 and 27002 and these two are the ones you should be fundamentally concerned about - ISO 27001 is the specification standard and the one you certify to. It sets out the requirements for your information security management system or ISMS as its more commonly referred to. There is also an annex A that contains all the controls, which you should consider as a minimum. ISO 27002 is an accompanying standard, which provides comprehensive guidance on how to implement the Annex A controls.
Within the 27000 family, there are a whole range of other standards, some you can certify to, but only as an extension of 27001. There aren't any standalones. There are some that are industry specific and one of the more common is ISO 27017, as an example, which provides information security controls for cloud services. So, there's a whole variety in there of guidance, additional information, extensions etc, but, fundamentally, in terms of this comparison, we should be primarily concerned with ISO 27001, the requirements Standard and the one you certify to, and ISO 27002 which provides implementation guidance on the controls.
CH – Similar to the ISO space, there are a number of SOC reporting standards. For example, there are specific SOCs for areas such as cybersecurity and supply chain security. But in truth, if you Google SOC, the three main terms that come up are SOC 1, SOC 2 and SOC 3. We’re obviously going to dive into SOC 2 in more detail as we run through this webinar, but SOC 1 is a reporting standard for organisations which are supplying services that could impact the financial reporting controls of their customers. So, it could be relevant if your organisation is providing payroll services or providing a service which a client is going to pay operational costs for. There are very specific instances where SOC 1 is applicable, and you will know if a SOC 1 report is required as your clients will be very clear in telling you that they require one!
And then we have SOC 3, which is also frequently mentioned and is essentially a cut down version of the SOC 2 report. It's basically a public report that you can put on your website, and it broadly covers the same areas as a SOC 2. As we drill down later, I will cover how a SOC 2 report can be distributed and the fact that it’s not a public report.
LG – So, for any organisation that has a SOC 2, does that mean they automatically get a SOC 3 report?
CH – No, SOC 3 is very much an add on. Although I said it was a cut down version, there are some tweaks to the format and the structure of the report as well. So, you can expect to be paying extra money and take a little bit more time.
What are the purposes of ISO 27001 and SOC 2?
LD – The purpose of 27001 is to detail the best practice approach to information security management and provide a mechanism to demonstrate you are doing so. So, if you want a level of confidence and assurance that you have considered all aspects of information security management in its widest context, and that you have implemented an approach or a process that ensures you are appropriately managing information security and your information security risks, that is exactly what ISO 27001 is there to do.
This International Standard for Information Security Management has been around since 2005 and it is interesting to note that the 2022 version has been renamed the standard for Information Security, Cyber Security and Privacy Protection Requirements. In truth, I think we could probably do a whole webinar on whether cyber security is a subset of information security, or whether it’s a completely different discipline but, suffice to say, Annex A of 2022 now includes a number of controls which specifically address cyber security. In terms of privacy protection, within the ISO 27000 family, there is the ISO 27701 Standard, which addresses privacy specifically, although there are elements within ISO 27001 that touch on privacy. But, fundamentally, the purpose of ISO 27001 is to provide a best practice approach to managing your information and cyber security risks.
CH – The purpose of SOC 2 is very specific and very clear. Basically, the key deliverable of a SOC 2 audit is a SOC 2 report. By that, we mean a report produced by independent auditors which details the service you are delivering and the security controls and processes you have in place for that service. This report is something that you can provide to your clients to give them assurance on the maturity of your controls.
LG – So just to confirm, you don't actually get a certificate with SOC 2?
CH – No, the deliverable from SOC 2 is a report and that's an absolutely key factor to remember whenever you're looking at what the scope is or what controls should be included within your report.
Typically, it will be American-based organisation you are delivering services to which will request a SOC 2 report.
LG – Chris, can you fail a SOC 2 report?
CH – It’s a good question, and this represents a difference between SOC 2 and ISO 27001. Very clearly, when you go into an ISO 27001 audit, the outcome is either you achieve or retain your certification, albeit sometimes with findings to address, or you potentially fail. With SOC 2, at the end of your audit, you always get a report. If everything has gone perfectly, you'll get an unqualified report, and there will be no exceptions within that report. If there are issues that are identified, for example in sampling, you may have some exceptions noted through your report. However, if your auditors aren't able to validate the effectiveness of particular controls, you could get a qualified report whereby the auditors may be saying, for example, they couldn't assess whether the change management process was operating effectively.
So, it's a key thing to note that as you come out of your SOC 2 audit, you're always going to get that report. In truth, there may be scenarios where you don't necessarily want to share that report, but you're always going to get a report. It's not a pass or fail.
LD – And from an ISO perspective, just to confirm, you are either certified or you're not certified. If the auditor finds major nonconformities, you will get an opportunity to address those, but it is black and white, you’re either certified or you're not certified.
How are the ISO 27001 and SOC 2 standards structured?
LD – Fundamentally, there are two parts to ISO 27001. There's the management system, your ISMS, and there are the controls. With the management system, some people look at it as a process, aspects of which we’ll cover later. Fundamentally, it’s about how you manage information security within your organisation to ensure that you are managing risk in an appropriate manner - it is a risk-based standard.
So, in terms of what's in it, as you would expect it starts with scope, objectives, policy etc, the usual essential starting point. The key elements that need to be addressed early on are; have you got the appropriate management commitment and leadership? There's a section on roles and responsibilities - who's responsible, why they are responsible, how are they responsible? There's also a section on resources that you've got, the competence of those resources, awareness, and training. Risk management is a fundamental component of your management system and the process you have to assess and consider risk.
When we talk about information security, we need to fully understand what we are trying to protect, why we want to protect it and what would happen if something goes wrong? So, there's a very significant section on risk management in terms of understanding your information, your information assets, understanding the threats to those assets and the controls to combat your threats. When you have considered all those things, you need to understand your risk profile and what are you going to do about managing those risks on an ongoing basis?
The other key aspect of ISO 27001 is that it's a continual improvement standard, and there are specific requirements around audit, management reviews, monitoring, measuring etc. So that is your core management system or the way you manage information security.
And then there is Annex A which contains approximately 100 controls which you must consider, as a minimum, and these include logical, technical. organisational and people controls. At a very basic level, if you want to control access to your office, you may implement door locks, a visitor management policy, security passes, vet people etc. So, ISO 27001 does look at information security management in its widest sense.
LG – Chris, is there much difference with SOC 2 and how it is structured?
CH – Yes, there is a fundamental difference. As Lisa pointed out, when you look at ISO 27001 and ISO 27002, you get a clear understanding of how the ISMS should be structured and, also, you’re given a list of suggested controls, that you need to implement. With SOC 2, it is structured around the concept of criteria, which are all based on an American framework called COSO. Essentially, you're given a set of criteria and a set of points of focus. Whereas when you look at ISO 27001 and the example of change management, there is a specific control within ISO 27001 that says you should have a change management policy in place, you should have a process, and it gives some indication of what that looks like. In SOC 2, there are points of focus which talks about the fact that you should be managing your information, your technology infrastructure and assets, and that you should have some sort of change control in place. It’s no more specific than that. The points of focus just say you need to look at this area and you need to work out what you need to do for the services you are delivering.
LG – So, would you say there is a bit more flexibility then in how you put the control in place?
Yes, the key is how specific it is. ISO 27001 is very clear on what's required in terms of the management systems you need to implement. When you look at what you actually have to put in place for ISO 27001 and for SOC 2, they’re very similar, it's just that ISO 27001 gives you a lot more guidance about exactly what that should look like.
What are the Main Benefits of Adopting ISO 27001 and SOC 2?
LD – So, what are the benefits with ISO 27001? Let's start with external assurance. For many, ISO 27001 is a tender passport, it’s expected by your clients, it's expected by your supply chain, and you will be asked to certify to 27001 as it is an excellent way of procurement, the purchasing team and bid review teams to answer the question, does this organisation have a proactive approach to information security?
So, you will see from an external assurance perspective, particularly to potential clients and clients, that ISO 27001 has a specific purpose there. It's also fair to say that probably most of the questionnaires that you receive on a regular basis will be based on ISO 27001. A lot of the questionnaires will be asking, have you got this control in place, how do you achieve something? And, if you look at ISO 27002, you'll see this is where most of those questions come from. So, there's assurance to your clients, assurance to your stakeholders and, if you're in a regulated industry, for example, it shows that you adopt a proactive approach to information security management. Likewise, internally, if your board or similar asks if information security is managed well, how do you best reassure them? That is where ISO 27001 comes in. It can also provide you with that personal reassurance, like a comfort blanket, when you ask yourself those niggling questions, have we covered all aspects of information security management? Have we really thought about everything? On top of that, ISO 27001 may also provide you with a competitive advantage viz-a viz other organisations in your marketplace.
LG – And Chris, would you say there are any additional benefits to having SOC 2?
CH – Broadly, it is the same sorts of set of benefits, but the overwhelming benefit with SOC 2 is that it’s providing assurance to your clients. And, if you’re operating in the American marketplace, another benefit of actually getting yourself a SOC 2 report is that you’re entering into that ecosystem of assurance. In the American marketplace, it’s increasingly becoming a common language. So, if you’re in the middle of the supply chain, the sensible thing to be doing is ensuring that your key suppliers all have a SOC 2 report, because if you must have a SOC 2 report to provide to your clients, you are going to need to be able to evidence that you have appropriate assurance of the information security being implemented by your suppliers. So, I would say it’s increasingly becoming the key information security assurance method across the American marketplace.
In our second instalment, Chris and Lisa will be addressing the following questions
- What are the key implementation stages of ISO 27001 and SOC 2?
- Are ISO 27001 and SOC 2 applicable to particular organisations or industry sectors?
- Can ISO 27001 and SOC 2 be used as a substitute for the other?
- What are some of the key similarities and differences between ISO 27001 and SOC 2?
Read Next Instalment