Comparison of SOC 2 and ISO 27001 certification

All over the world, customers are becoming more and more concerned about how vendors working for them can affect their results. As a consequence, they increasingly require evidence showing that the services provided to them are trustworthy, and a way to prove that is by providing a Service Organization Control (SOC) 2 report.

This article will present how organizations that need to present an SOC 2 report can take advantage of ISO 27001, the leading ISO standard for information security management, to fulfill its requirements.

What is an SOC 2?

SOC 2 is a suite of reports produced during an audit, performed by an independent Certified Public Accountant (CPA) or accountancy organization.

The content of these reports is defined by the American Institute of Certified Public Accountants (AICPA) and, as such, is usually applicable for U.S. companies. SOC 2 validates internal controls related to information systems involved in provided services, based on five semi-overlapping categories called Trust Service Criteria (TSC).

Since the content of the reports does not require an objective “pass or fail” component – only the auditor’s opinion, which is subjective – audit reports are not certifiable against SOC 2; they can only be attested as compliant with SOC 2 requirements, and this attestation can only be performed by a licensed CPA.

Sponsorships Available

Sponsorships Available

Sponsorships Available

There are two types of SOC 2 reports. Type 1 reports cover the description of the services’ systems and show if the proposed controls support the objectives the organization wants to achieve. Type 2 reports also cover the description of the services’ systems and show if the proposed controls support the objectives the organization wants to achieve, as well as whether these controls operate as expected over a period of time (generally between 6 months and 1 year). Examples of objectives to be achieved by (Read more...)