In June 2023, URM delivered a webinar where it compared and contrasted 2 of the world’s leading information security standards, ISO 27001 and SOC 2. The webinar took the form of a Q&A session where Lisa Dargan (LD), Director, represented ISO 27001 and Chris Heighes (CH), Senior Consultant, represented SOC 2. The Q&A session was chaired by Lauren Gotting (LG) New Business Manager at URM.
In the third of 3 instalments, Chris and Lisa will be addressing the following questions:
- How are the 2 standards assessed and audited?
- How long does each certificate last?
- How much time and effort is required to implement each?
- How much does it cost?
- Who can carry out ISO 27001 and SOC 2 audits?
- Are the requirements for SOC 2 type 1 and type 2 different?
How are the ISO 27001 and SOC 2 standards assessed and audited?
LG – Chris, one question that has in come in relates to the audit process for SOC 2. You mentioned a qualified report earlier - do you have a chance to review it and make amendments?
CH – Yes, it’s a really good question and enables me to talk about the auditing process. Essentially, SOC 2 audits are very much evidence driven. In my experience, auditors provide the organisation being audited with a set of evidence requests.
They will say, right, this is what we want to see on the incident management processes and what we want to see on your asset management process. Typically, the auditors will want to see that the processes are documented and will want to see evidence of their operation.
While they run through that process, and again, in my experience, the auditors are willing to go backwards and forwards with it. So, for example, if they've been looking at your change management evidence and they sample a dozen change requests and they spotted that couple of those change requests haven't got all of the characteristics that you've said should be in, or they haven't necessarily got all of the approvals that they're expecting, they may come back to you and say, ‘well, can you explain why these exceptions are in the sample?’ So, it's really at the point when the auditors are looking at the evidence that you're given the opportunity to come back, for example, and say, ‘well, in actual fact, I didn't have approvals for those two changes because…’ or ‘those changes didn't have test plans for this specific reason’ etc, etc.
With these examples, the auditors may well expand that sample, or they might well have a discussion with you and say ‘in actual fact, we need to raise an exception for that’. If they raise an exception in the report, they do provide you with the opportunity to respond formally. So basically, when the report is produced, if there are some exceptions, you do have an opportunity to either justify why the exceptions are there or, and this is more likely, to explain how you intend to resolve them.
LG – So you can put a plan in place to remediate?
CH – Yes, you can. When the report is produced, if there are some exceptions, you have an opportunity to explain why the exceptions are there and to explain how you intend to resolve their root cause so that they won’t occur again. The auditors then add this response at the end of the report.
LD – From an ISO 27001 perspective, it’s far more straightforward, initial two-stage process. Stage one is a documentation review - have you got certain documents in place? Is your scope documented? Do you have a risk assessment methodology? Do you have an audit schedule in place? Typically, this audit is with the information security manager/compliance manager – that’s it.
Stage two is a point in time audit. As Chris has described, loosely, with a type 1, there will be various people within your organisation, from HR, IT etc. who will be identified in advance, who the auditor wants to spend some time with.
Typically, these sessions will be no more than an hour, maybe 2 hours maximum. And it's really a question of ‘OK, how do you do this? What's in your policy? Demonstrate to me that you're following your policy set.’
If we take change control as an example, probably during the assessment you'll be asked, ‘How do you do change control? Show me how you're following your policy and process. Let me have a list of the changes made over last month or so.’ With SOC, it would be a much, much longer process, with requests going to and fro. With ISO 27001, it is questions at the time and a much more simple, 2 stage certification process.
CH – And to go back to that change management type example, and just to reemphasize the difference in the 2 auditing techniques, in SOC 2 the auditors, in their initial information request, would ask for the policy and the process and ask for a sample of changes that they would want to see. If they review all of that evidence and they don't have any questions and it all matches up, potentially, they won't need to talk to anybody about the change management process. So, as I said, with 270001, I think it's fair to say that the initial view is we're always going to sit down and talk to somebody about this process. Potentially, with SOC 2, as it's evidence driven, it may be that the evidence answers all the questions and therefore they don’t need to have that hour long meeting with the change manager or whatever. It might just be the auditor wanting to clarify a couple of points.
LG – So it can vary quite a bit then?
LD – It does. However, the efforts to get all the evidence together for a SOC audit, bearing in mind that it’s over an elapsed period of time, is possibly 3, 4 or 5 times the length of an 27001 audit, and it’s also a back-and-forth process.
CH – Yes, absolutely. And I'm not going to shy away from the fact that, certainly when you do your first SOC 2 audit, the initial request for evidence can be a little bit daunting and disconcerting because there will be a lot of requests.
How long does each of ISO 27001 and SOC 2 certificates last?
LD – So, ISO 27001. Once you've got you certificate, it lasts for three-year period, and you have a continuing assessment visit on an annual basis which is conducted over a number of days. As Chris has said, SOC is 12 months only and then you go back and start all over again.
How much time and effort is required to implement ISO 27001 and SOC 2 certificate?
LD – ISO 27001, it depends. But broadly speaking, you would be looking to achieve certification within a 9 to 12month period. You might, if you're very mature, be able to get there sooner, but you need that level of evidence. If you take much longer, then you may need to repeat the risk assessment or elements of it.
CH – Yes, in truth, for SOC 2, it's comparable in that if you start from scratch and you haven't got anything in place or haven’t got any certifications already in place, it’s going to be a similar sort of timescale. The key thing to remember if you're going for a type 2 report, is that you've got to be able to show the effective operation of your processes and controls for a specified period, be that six months or whatever. As such, you need to be very clear on, or at what point, you believe your process was operating effectively.
How much does ISO 27001 and SOC 2 certification cost? Is there a ballpark figure for a medium-sized business to certify?
LD – Broadly speaking, if you look at 27001, and this is a rule of thumb, looking at your three-year costs – that’s a stage one, stage two and continuing assessment visits. If you rolled that into one figure it would roughly equate to your total annual cost of SOC 2, for one year only. So, SOC 2 is much more expensive, which then underlines the point Chris has been making - it's much more thorough, not just a point in time kind of assessment.
CH – And if you're looking at the end result as well, you will be getting that SOC 2 report at the end of it.
Would SOC 2 implementation timelines be reduced if you already had ISO 27001?
CH – Yes, they would.
LG - So can both standards be implemented at the same time in your professional opinion?
LD – Yes, absolutely. So, the process you would take, typically, is you would use your information security management system from ISO 27001 as your overarching framework. And there is a bit of a variation to this, as Chris has talked about with the additional focus of governance with SOC 2. But effectively, where you look at the controls from an ISO 27001/ 27002 perspective, you would also look at the SOC controls as part of that framework and also include any other relevant controls – for instance, you might have PCI DSS and other specific controls within your environment and you would include all controls in your control framework. The management system for ISO 27001 would be your overarching framework and this would be supported by your control framework. As you implement the controls from an ISO 27001 perspective, if you've completely improved the new control, new policy, new technology etc., you could be ISO certified within a few months. If it was SOC 2, whilst you’ve implemented it at the same time, you may need at least six, probably 12 months’ worth of evidence that the control been working effectively. So, whilst you could be ISO 27001 certified with a risk treatment plan with actions still to be addressed, you would need far more evidence to be SOC 2 certified.
CH – As we’ve discussed, with regards to the differences in the 2 standards, SOC doesn't have a detailed control framework or set of requirements associated with it. Typically, if you're going straight into getting a SOC 2 report for your organisation, you need to work out what your framework is going to be in order to support your responses to the questions about the criteria and the points of focus.
LG – Thank you Chris. We may have covered a little bit of this throughout the presentation, but if you're already certified or a compliant to one, how easy is it to get the other one?
CH – My theory is that probably the most sensible path to take is to implement ISO 27001 first and then SOC 2. That’s not to say you couldn’t do it the other way around. But because ISO 27001 gives you that clear framework, gives you the requirements of an ISMS, and the control set, it provides the foundation to achieve a positive SOC 2 report.
If you do SOC 2 first, there's likely to be some ISO 27001 requirements that you haven't actually covered. So, ISO 27001 and then SOC 2 is probably the most obvious route, but it doesn't mean that you couldn't do it the other way around.
LG – Thanks Chris. So, the big question then, ISO 27001 versus SOC2. What should I do?
LD – ISO 27001 all the way, unless it's a specific client requirement, the American market or the supply chain that is asking to see a SOC 2 report. And, in answer to the question before, if you’re looking at doing ISO 27001, and then going to do SOC 2, is that acceptable? Yes, but generally speaking, unless somebody specifically asks you for SOC 2, go for ISO 27001.
CH – I would say, if you’re in the American marketplace, or you have American-based clients, or you're planning to move into that space, you should expect that sooner rather than later there will be a request for you to have a SOC 2 report in place.
LD – And I think, Chris, I would totally agree with you. And that is what we're seeing, and we’re seeing more and more of that.
Who can carry out ISO 27001 and SOC 2 audits?
CH – With SOC 2, it’s the AICPA, which is the American Institute of Certified Public Accountants. Essentially, the only people that can do SOC 2 auditing are organisations and individuals that have been accredited by the AICPA. I know Lauren’s next question is whether all auditors can do SOC 2 reports? They can’t. Basically, all SOC 2 auditors are certified public accountants, but not all certified public accountants can carry out SOC 2 audits.
LD – From an ISO 27001 perspective, there are certification bodies - in the UK you want a UKAS-approved certification body and in the US, ANAB approved. The accreditation bodies are there to approve certification bodies and put them through a rigorous initial accreditation process and then an annual assessment so that you can be assured that they are fit for purpose in assessing you.
Are the requirements for SOC 2 type 1 and type 2 different?
CH – No, the only difference is the time scale that the effectiveness of the controls are assessed over.
Read previous instalments
Do you need any help with your ISO 27001 auditing programme?
Due to the increased use of technologies and the ‘human’ involvement, it is inevitable we are all going to face more and more information security incidents.
In this blog, we’re going back to basics and looking at some of the fundamentals of information security and ISO 27001.