ISO 27001 is an international information security standard that provides specifications for implementing an effective Information Security Management System (ISMS) through risk management and compliance with regulations like GDPR. SOC 2 is an assessment for technology companies developed by AICPA to protect customer data stored in the cloud and apply to any company using cloud storage. Both standards aim to implement security controls, policies, and procedures to protect valuable assets, but ISO 27001 provides a more comprehensive framework while SOC 2 focuses on verifying data protection controls. Implementing one or both can strengthen security posture, simplify compliance, and improve customer confidence.
2. Contents
3. Overview and Purpose
4. Benefits
5. Comparison
6. The Needs and Requirements of the Customer
7. Roadmap
8. What Success Looks Like
9. Q&A
3. Overview and Purpose
ISO 27001 Standard
• The international security standard that
provides the specifications to implement
an effective Information Security
Management System (ISMS)
• ISO 27001 focuses on protecting
confidentiality, integrity and availability.
• Assists in complying with General Data
Protection Regulation (GDPR) and
Network and Information Systems (NIS)
regulations.
• A risk management framework.
SOC 2 -Service Organization Control
(SOC) report
• SOC 2 is an assessment platform for
technology companies developed by the
AICPA (American Institute of Certified
Public Accountants )
• SOC2 is specifically designed for service
providers that store customer data in the
cloud and must protect this data
• SOC 2 applies to every company that uses
cloud to store customers data.
With both standards, the objective is to implement reasonable technical
security controls, policies, procedures, and overall security management
to protect the security of you company’s or client’s valuable assets
4. Benefits
ISO 27001 Benefits
• Provides the framework to build an effective ISMS for
your organization
• Simplifies compliance with multiple regulatory
frameworks (e.g., HIPAA, PCI, PII)
• Provides a baseline to implement and demonstrate
measures to comply with strict GDPR and Data Privacy
objectives worldwide
SOC 2 Benefits
• SOC 2 compliance can benefit businesses
that handle customer data for others—
such as SaaS companies, banking, or
healthcare companies
• Compliance helps strengthen company
reputations, financial statements, and
stability by documenting, evaluating,
and improving their internal controls
• SOC 2 ensures integrations with AWS,
Azure, GCP, GitHub, are compliant and
data is protected
• Data Center and Colocation service
providers can also offer security
compliance to their customers
• You implement governance, policies and controls
that secure your data
• You improve your company’s security posture.
• Assets and confidential information are kept
more secure
• Customers and stakeholders gain confidence on
how you manage and reduce security risks
• You meet/exceed Third Party Risk Management
requirements
With either or both:
5. Comparison
ISO 27001
• ISO 27001 is a standard that includes the
specifications necessary to design,
implement and operate the ISMS and
validate the operation of technical
controls within the system
• More robust and comprehensive than
SOC2
• 27001 compliant architecture can
provide controls to comply with GDPR,
PII, HIPAA and other regulatory and
compliance requirements
• ISO 27001 can be thought of applying to
building an organization's security
infrastructure while SOC2 applies more
to verifying the existence of data
security protection controls
SOC 2
• A SOC 2 Type 2 report is an internal
controls report capturing how a company
safeguards customer data and how well
those controls are operating
• The (SOC) 2 Report will be performed in
accordance with AT-C 205 and based upon
the Trust Services Criteria
• The SOC2 audit examines Five Trust Services
Criteria (TSPs)
1. Security
2. Availability
3. Processing integrity
4. Confidentiality
5. Privacy
6. The needs and requirements of the customer
ISO 27001
• An effective approach to
security to defend against
external attacks and
common internal threats.
• Provides a proven
framework to define,
document, monitor,
review, update, security
controls to address
security risks specific to
your business.
• Is a non-prescriptive
standard that tells you
what you need to do not
how to do it. So your
business implements a
program specific to your
organization
SOC 2
• SOC 2 compliance is a
minimal requirement
when considering any
SaaS, PaaS or IaaS
provider.
• The move to cloud
requires evidence of
third-party compliance
and data protection
measures
• SOC 2 reports on various
organizational controls
related to security,
availability, processing
integrity, confidentiality
or privacy.
InfoSec Requirements
Leadership Requirements
Planning Requirements
Support Requirements
Operational
Requirements
Evaluation Requirements
Improvement
Requirements
For success you need to
understand your
company’s:
7. Roadmap
ISO 27001
1. Create a plan for Security Management
2. Determine your scope – What assets need to be
protected?
3. Understand all the risks associated with all
assets
4. Perform a Risk Assessment
5. Find the gaps between desired and current
state. Determine the best way to manage the
risks. Determine what must be done
6. Close the Gaps – Create a Gap Remediation Plan
(GRP)
7. Execute the GRP – Develop
Polices/Standards/Procedures
8. Conduct an ISMS Internal Audit
9. Remediate, policies, procedures, practices and
configurations before the official audit.
10. Begin the external certification audit
5-15 months to become 27001 certified
Internal resources, third party consultants
Audits - $20K-30K, Consulting $30K – 90K
1. SOC 2 reports are usually issued by independent
third-party auditors
2. Find a competent CPA firm
3. 1st step is to perform a SOC 2 scoping and
readiness assessment.
1. This evaluates the organizations internal
control framework.
2. Determines business functions which will be
in-scope of the SOC 2 audit
4. The conduct a SOC 2 Internal Audit
5. Remediate, policies, procedures, practices and
configurations before the official audit.
6. Begin the external certification audit.
6 weeks – 3 months on average
Internal resources, third party consultants
SOC Type 1 starts at $20,000, SOC Type 2 starts at
$30,000.
SOC 2
8. What success looks like.
A successful compliance program means:
• Controls are in place at all levels to protect the security of all assets.
• You have an infrastructure that achieves your security objectives
• You see a measurable risk reduction across all business divisions
• Marked reduction of self identified issues and external audit findings
• A security posture that provides Continuous Compliance through integrations with AWS,
Azure, GCP, GitHub, and more.
• Continued successful external certification audits
• The ability to demonstrate continuous improvement
• Increased customer confidence
• Higher ROI
The cost of non-compliance can result in
attacks that can debilitate your business.
This can include lost revenue, customers,
opportunities, and out-of-pocket costs.
Security breaches affect people, operations,
finance, intellectual property, and brand
reputation. The impact is high.
To implement ISO 27001 you will ne to define a compliant ISMS
Define the scope
Define a security policy
Conduct a risk assessment
Manage identified risks
Select control objectives and controls to implement
Prepare a Statement of Applicability
Reduce costs by understanding risks and opportunities for security improvements
Reduce risks by designing a risk treatment plan. Accepted risks manageability of the risks
with the ability to test and report on the design (Type I) and operating (Type II) effectiveness of a service organization’s controls
A SOC 2 report is based on the existing SysTrust and WebTrust Principles. The purpose of a SOC 2 report is to evaluate the organizations information systems relevant to security, availability, processing integrity, confidentiality or privacy.
A SOC 1 report is an assessment of controls at a service organization that may be relevant to user entities’ internal control over financial reporting
SOC 3 follows SOC principles does not detail that testing performed and is meant to be used as marketing material.
SOC 2 covers 75-80% of the list of ISO 27002 controls
What will ISO 27001 ISMS will accomplish for your business?
What does top management need to do?
How do we assess risks and confirm risk reduction?
How do we ensure we have competence and awareness?
How do we implement and control the processes needed to achieve our objectives?
How do we ensure the effectiveness of our ISMS?
How do we address deficiencies and continuously improve?
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity’s objectives. The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity’s objectives. The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy. The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorized disclosures (including breaches) of personal information to meet the entity’s objectives related to privacy. The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy.
Managed ServicesManaged services providers can set themselves apart by demonstrating their commitment to a maintaining the strong internal controls that customers want when entrusting them with the management of their information systems, including applications, databases, information security, backup and recovery, network management, and system monitoring.
Banking and Financial ServicesOrganizations like credit unions, banks, credit card companies, insurance companies, consumer finance companies, and stock brokerages face numerous challenges in internal controls. For example, physical and logical security play a major role in ensuring customer data is secure. They also must maintain confidentiality and privacy, as well as the completeness, timeliness, and accuracy of transactions. Thus, demonstrating a robust SOC 2 compliance program can be advantageous.
Software as a Service (SaaS)Efficiency-seeking companies are turning to Software as a Service (SaaS) providers to reduce costs. SaaS providers can gain an edge by showing prospective customers that they can be trusted because of their adherence to widely accepted frameworks for internal controls.
Data Centers and Colocation FacilitiesA single data center can serve many customers, housing vast amounts of sensitive data, which would make a breach exponentially damaging. Therefore, companies scrutinize the internal controls of a data center or colocation facility before trusting them with their data. SOC 2 compliance can provide those companies with the assurance they desire.