ISO 27001 is a standard from the International Organization of Standardization. SOC 2 (Service Organization Control) is a set of compliance requirements created by the American Institute of Certified Public Accountants. Here’s how else SOC 2 differs.
While ISO 27001 deals with IT security, SOC 2 is about handling third-party data, for example by a financial services company or a cloud computing service provider. The measures, detailed below, go beyond simply covering security.
SOC 2 builds on the SOC 1 compliance requirements. SOC 1 is about the service you provide to a customer, specifically how they can remain confident in their financial reporting despite outsourcing some of their operations to you. SOC 2 is about the controls you have in place to make sure you handle their data correctly in a wider context than just the customer’s financial reporting.
An auditor’s SOC report covers one or more of five “trust service principles".
- Security – protecting against both physical and logical (ie remote) unauthorised access. (Security must always be covered in the report.)
- Availability – whether or not the system is available for use as agreed.
- Processing – making sure any processing is done accurately, in full and on time.
- Confidentiality – protecting any information designated as confidential, meaning access is restricted to a specific person or group.
- Privacy – covering all aspects of personal information such as collection, use, retention, destruction and disclosure. This takes into account both the specific promises you make and more generally accepted principles and legal requirements.
The criteria for SOC reports is very much about the “what” of achieving these principles rather than the “how”, so there is more flexibility than some types of audit. However, to pass the security element of the audit, you’ll usually need controls that can:
- constantly monitor activity;
- raise an alert when anything is out of the ordinary; and
- provide enough detail that when you spot a potential threat, you can mitigate or prevent the damage it does.
While all ISO 27001 reports all fundamentally work the same way, SOC reports fall into of two distinct types. A Type I report details what the organization is trying to achieve with its controls and whether those controls are suitable for those aims. A Type II report examines where the controls are actually working as designed. This difference means a Type I report applies to a specific point in time, while a Type II report can cover a period of time.
An SOC report arguably has more room for opinion and nuance than some forms of “checklist” audit. This makes it important to use an auditor with experience in, and knowledge of, the SOC field.
Comparison between SOC 2 and ISO 27001
The AICPA have published a mapping tool which details the SOC 2 trust services criteria and how they correspond to the relevant clauses or security controls from ISO 27001. It’s a useful tool as some of the ways an ISO 27001 control are relevant to the criteria of SOC 2 might not be obvious. Some of the key connections include the following.
SOC 2 criteria/relevant ISO 27001 control:
- Establish standards of conduct/Train employees and (where relevant) contractors in Information Security
- Address breaches of the standards of conduct quickly/Have a formal disciplinary process
- Establish relevant policies and practices/Produce the policies and regularly review
- Consider how significant each risk is/Analyse the risk including its likelihood and impact
- Make sure competent personnel carry out the control activities/Assess competence based on education, training or experience
- Identify, inventory and manage information assets/Inventory the assets and “own” them
- Identify and authenticate users before they access information/Use a log-on procedure with a system that guarantees “quality” passwords
- Design measures to detect actual and attempted security breaches/Log activities relevant to security and regularly review the logs
Note that for several of the SOC 2 trust services criteria, there’s no direct equivalent in the ISO 27001. Examples include the following:
- Implement (rather than merely design) measures to detect anomalies in system operations
- Record when people ask for personal information to be deleted or it’s no longer needed, then make sure the the relevant information is indeed deleted. Do this in a way that guarantees it can’t be lost, stolen or accessed without authorisation.
- Oversee the way the security controls interact with other technology controls and business processes.
- Make sure to have suitable controls over technology infrastructure.
- Make sure to have suitable controls to make sure everyone has only appropriate and relevant access to the various technology.
- Make sure to have appropriate control over acquiring, developing and maintaining technology and its infrastructure.
- Assess the risks of fraud including the effects of incentives and pressures.