Blog

Choosing between SOC 2 Reports and ISO/IEC 27001 Certification - Larson And Company

Written by Andrew Wan, CPA, CFE | 23 Mar 2016

When it comes to choosing between a SOC 2 report and the ISO/IEC 27001 certification, there are advantages and disadvantages to each.  Each organization needs to come to a conclusion as to which fits best for the needs of their organization.  Some organizations find that it is helpful to have both.

SOC 2 is a report that is issued by a certified public accounting firm.  The framework for the report is issued by the American Institute of Certified Public Accountants (AICPA).  A SOC 2 report has different principles that can be attested on, which are: Security, Availability, Processing Integrity, and Confidentiality or Privacy.  The SOC 2 report is required to include Security but may include any other combination of these principles.  SOC reports are not a certification; you cannot be SOC certified.

There are two different types of SOC 2 reports.  Type 1 is an audit that is performed at a point in time.  This means that when the company is audited, all of the requirements are met.  This doesn’t mean the requirements have been met in the past or will be met in the future.  Type 2 is an audit where testing is performed over a certain time period.  This means you can rely on a SOC 2 Type 2 report to provide comfort that the audited company meets the principle (Security, Availability, etc.) requirements for a certain period of time.  This provides for significantly more assurance than a Type 1 report.

ISO/IEC 27002 is a security standard published by International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC).  It is by this standard of requirements that organizations are certified to ISO/IEC 27001.

ISO/IEC 27001 is a certification that is best known for verifying that the requirements to the information security management system (ISMS) are met.  According to ISO, “An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.”  This standard is recognized internationally and is provided at a point in time.  This means that when the company is inspected, all of the requirements are met.  This does not mean they have been met in the past or will be met in the future.  This report can provide comfort to those using the inspected company that they have met, at the time of their last inspection, requirements to be ISO/IEC 27001 certified.

In summary, the ISO/IEC 27001 is an internationally recognized certification over the information security management system at a point in time.  A SOC 2 report is based on principles chosen by management and is more flexible in that it can be at a point in time (Type 1) or for a period of time (Type 2) and can cover multiple areas depending on the organizational needs. For more information about SOC 2 reporting, contact Andrew Wan today.