WISP vs SOC 2 vs ISO 27001: Choosing the Right Security Framework

Article Summary

• A Written Information Security Plan (WISP) is a formal document outlining how an organization identifies, assesses, and manages cybersecurity risks to protect sensitive data.
• Regulatory drivers such as HIPAA (1996), GLBA (1999), the FTC Safeguards Rule (2003), and 2021–2024 amendments have expanded WISP requirements, including for tax professionals.
• WISPs are required for organizations handling sensitive financial or personal data, including tax professionals, financial institutions, healthcare providers, and businesses in certain states.
• A strong WISP includes purpose and scope, risk assessment, defined roles, security policies, monitoring, incident response, employee training, and regular updates.
• Organizations can strengthen compliance by aligning WISPs with frameworks such as National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), American Institute of Certified Public Accountants (AICPA) SOC 2, and AI risk guidance.
  
  

What Is a WISP and Why Your Organization Needs One

Running a business while protecting sensitive assets and maintaining compliance grows more challenging every year. The number and variety of threats is rapidly evolving as bad actors continue to search for and exploit security vulnerabilities. A Written Information Security Plan (WISP) is designed to address this risk and help companies achieve a robust and practical set of security controls.

What Is a WISP?

A WISP is a formal document that outlines how an organization identifies, assesses, and manages cybersecurity risks to protect sensitive data. A well written WISP includes administrative, technical, and physical safeguards tailored to your business environment.

A Brief History of WISPs

The concept of WISPs emerged in response to the growing need for structured cybersecurity frameworks:

• 1996: HIPAA introduced the requirement for healthcare entities to implement security policies.
• 1999: The Gramm-Leach-Bliley Act (GLBA) mandated financial institutions to protect consumer data.
• 2003: The FTC’s Safeguards Rule required comprehensive information security programs.
• 2021–2024: Amendments to the Safeguards Rule and IRS regulations made WISPs mandatory for tax professionals and introduced breach reporting requirements

These milestones reflect a broader trend: regulators increasingly expect organizations to proactively manage data security risks.

Who Is Required to Have a WISP?

WISPs are required for organizations that handle sensitive personal or financial data, including:

• Tax professionals: The IRS mandates WISPs as part of the PTIN renewal process.
• Financial institutions: GLBA and FTC Safeguards Rule compliance requires a WISP.
• Healthcare providers: HIPAA regulations require documented security policies.
• Businesses operating in certain states: States like Massachusetts and New York have their own WISP requirements.

Even if your organization isn’t legally required to have a WISP, implementing one can significantly reduce your risk exposure and better prepare you for security incidents.

What Should a WISP Include?

While the exact contents may vary by industry and regulatory framework, a strong WISP typically includes the following elements

1. Purpose and Scope: Define the objectives and coverage of the plan.
2. Roles and Responsibilities: Identify who is responsible for implementing and maintaining security controls.
3. Risk Assessment: Outline how risks are identified and evaluated.
4. Security Policies: Include policies for access control, data classification, encryption, and incident response.
5. Training and Awareness: Describe employee training programs and ongoing awareness efforts.
6. Monitoring and Auditing: Detail how systems are monitored and how compliance is verified.
7. Incident Response Plan: Provide procedures for detecting, reporting, and responding to security incidents.
8. Review and Updates: Establish a schedule for reviewing and updating the WISP.

Why Partner With Us?

Our IT audit team has many years of experience in SOC 1, SOC 2 , HIPAA, and compliance engagements, and we understand the complexities of achieving regulatory compliance. By partnering with us to develop your WISP, you’ll gain:

• A customized plan aligned with your business and regulatory requirements.
• Expert guidance from auditors who understand both technical controls and legal obligations.

• Confidence that your organization is better prepared to address audits, security events, and emerging threats.
  
  

Which Internal Control Framework is Best?

NIST vs ISO vs SOC vs PCI vs….

Which control framework is the best to use? Can I pick and choose from multiple frameworks? Who are the key stakeholders in this process?

As a CPA and SOC practitioner, I have been asked these questions many times. The answer is, of course, it depends. However, here are some thoughts to guide you in your research. At the end, I provide a table comparing some of the more common control frameworks/rulesets.

Which control framework is the best?

What have your customers have asked for? Unless you are very proactive, you are likely beginning this search because a key customer has asked you to be compliant with XYZ framework. Although they are not the end all be all for this decision, if a customer is asking for a particular framework, this is a strong sign that the customer identified framework is the correct one to use.

What does your industry focus on? If you are proactive and beginning this search on your own – good for you! Do you provide a platform as a service, software as a service, manage a government resource? Refer to the table below for industries and focus for each framework.

How much time and monetary resources could you budget for implementation? Some frameworks are more intensive than others. Most of the frameworks cited below are for entities planning a comprehensive response to risks they identify and potentially to achieve independent attestation or certification. Between preparation, implementation, and testing, these efforts could take up to a year to achieve. If you are just looking for best practices, consider a web search instead.

Can I pick and choose from multiple frameworks?

Probably not. If your goal is compliance attestation or certification, you will need to adhere to a particular framework. If your goal is general company health and risk management, start by identifying the best fit framework. If there are acceptable/justifiable gaps between your risk assessment and objectives/criteria addressed in the framework, you may refer to multiple frameworks.

Who are the key stakeholders in this process?

There are two main reasons to adopt a control framework: customer growth/retention and risk mitigation (arguably the same reason). In response to this, your key stakeholders will be a mix of external and internal parties. The following are the main stakeholders that will be important to development of your program:

• B2B customers who use your service – you will likely begin this process by looking at SLAs to determine your key commitments or reasons you are in business and then determining risks of achieving those objectives.
• Governmental organizations that use your service – laws or regulations may be very specific on what you will need to adopt.
• Company management, primarily those responsible for security, technology, customer experience and finance – these individuals will have the most insight into what risks the company faces, what current processes look like, and how best to mitigate deficiencies.
• Company governance – the board of directors or owners will have ultimate responsibility for the security program.

Hopefully these points will help in your research. See below for a table comparing some of the more common control frameworks/rulesets. Feel free to reach out to Larson and Company with any questions!

Click here for a printable pdf of the framework comparison table.

Choosing between SOC 2 Reports and ISO/IEC 27001 Certification

When it comes to choosing between a SOC 2 report and the ISO/IEC 27001 certification, there are advantages and disadvantages to each. Each organization needs to come to a conclusion as to which fits best for the needs of their organization. Some organizations find that it is helpful to have both.

SOC 2 is a report that is issued by a certified public accounting firm. The framework for the report is issued by the American Institute of Certified Public Accountants (AICPA). A SOC 2 report has different principles that can be attested on, which are: Security, Availability, Processing Integrity, and Confidentiality or Privacy. The SOC 2 report is required to include Security but may include any other combination of these principles. SOC reports are not a certification; you cannot be SOC certified.

There are two different types of SOC 2 reports. Type 1 is an audit that is performed at a point in time. This means that when the company is audited, all of the requirements are met. This doesn’t mean the requirements have been met in the past or will be met in the future. Type 2 is an audit where testing is performed over a certain time period. This means you can rely on a SOC 2 Type 2 report to provide comfort that the audited company meets the principle (Security, Availability, etc.) requirements for a certain period of time. This provides for significantly more assurance than a Type 1 report.

ISO/IEC 27002 is a security standard published by International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC). It is by this standard of requirements that organizations are certified to ISO/IEC 27001.

ISO/IEC 27001 is a certification that is best known for verifying that the requirements to the information security management system (ISMS) are met. According to ISO, “An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.” This standard is recognized internationally and is provided at a point in time. This means that when the company is inspected, all of the requirements are met. This does not mean they have been met in the past or will be met in the future. This report can provide comfort to those using the inspected company that they have met, at the time of their last inspection, requirements to be ISO/IEC 27001 certified.

In summary, the ISO/IEC 27001 is an internationally recognized certification over the information security management system at a point in time. A SOC 2 report is based on principles chosen by management and is more flexible in that it can be at a point in time (Type 1) or for a period of time (Type 2) and can cover multiple areas depending on the organizational needs.

NIST AI Risk Management Framework Overlap with SOC 2

The National Institute of Standards and Technology (NIST) released its Artificial Intelligence Risk Management Framework (AI RMF) on July 26, 2024. This framework provides a voluntary roadmap for organizations seeking to identify, assess, and mitigate risks associated with AI systems while promoting responsible and trustworthy AI development. Simultaneously, organizations have been increasingly engaged in System and Organization Controls (SOC) reporting, particularly SOC 2, which evaluates controls related to security, availability, processing integrity, confidentiality, and privacy.

Both the AI RMF and SOC reporting serve to protect organizations and their stakeholders from technological and operational risks. While the AI RMF focuses specifically on managing risks related to AI systems, the SOC 2 framework provides a robust foundation for managing system controls more generally, covering many of the same core areas that are critical for AI, such as security, privacy, and governance. Organizations already familiar with SOC 2 can leverage their existing policies and procedures—such as those for risk assessment, governance, monitoring, and system development lifecycle (SDLC)—to effectively implement the AI RMF.

Organizations that already comply with SOC 2 will find they have a strong starting point for many of the requirements set out by the AI RMF.

Overview of the NIST AI RMF

1. Govern: This function focuses on organizational policies and practices for AI risk management. It stresses the importance of establishing legal, regulatory, and operational frameworks, along with setting clear roles and responsibilities across the AI lifecycle. Organizations should develop robust governance frameworks for managing AI risks, with policies that address risk assessment, monitoring, and the system development lifecycle (SDLC). Policies developed as part of the SOC audit process, such as those for governance, risk assessment, and monitoring, will support the AI RMF’s Govern function.
2. Manage: Managing AI risks involves taking concrete steps to address identified risks, mitigate potential harms, and adjust systems as they evolve. Organizations should develop continuous feedback loops, ensuring that AI systems are regularly evaluated for emerging risks and opportunities. As part of this, the SDLC should account for ongoing monitoring of system performance against trustworthiness benchmarks.
3. Map: Mapping is about understanding the context in which AI systems operate, identifying stakeholders, and documenting risks related to the AI system. This function encourages organizations to assess the potential impacts of AI systems and understand how they fit into broader business goals. The SOC 2 framework already requires a structured approach to assessing risks, and this maps closely to the AI RMF’s guidance, which emphasizes continuous risk assessment throughout the AI lifecycle.
4. Measure: The Measure function emphasizes evaluating the performance and trustworthiness of AI systems. Organizations are encouraged to track the system's effectiveness, accuracy, and compliance with defined standards over time. SDLC policies and processes will need to incorporate new assessments of system output. This includes developing specific metrics to determine system fit and function and evaluating whether the AI system meets trustworthiness standards such as fairness, transparency, and accountability.

Preparing for AI's Organizational Impact

Beyond technical changes, organizations will also need to revisit human resource and training practices as AI systems evolve. The rapid pace of AI development demands that HR policies ensure ongoing industry awareness and continuous learning. Training programs should focus not only on AI system operation but also on the ethical and regulatory aspects of AI, helping employees stay up to date with the latest advancements and risks.

In conclusion, while the NIST AI RMF introduces new frameworks for managing AI risks, organizations that already comply with SOC 2 will find alignment between the two systems. Leveraging existing SOC controls to implement the AI RMF can help organizations build trustworthy, secure, and accountable AI systems, ensuring they are better prepared for the risks associated with AI.

Sources:

AICPA Guide: (SOC 2) Reporting on an Examination of Controls at a Service OrganizationRelevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (Updated As of October 15, 2022)

NIST Resources, including:

NIST AI RMF Playbook

NIST AI RMF Roadmap

NIST Perspectives

For additional guidance, contact the Larson SOC Team.  Click to schedule a free 2 hour consultation to discuss your company's needs.

Frequently Asked Question About Choosing the right security framework

What is a Written Information Security Plan (WISP)?  A WISP is a formal document that outlines how an organization identifies, assesses, and manages cybersecurity risks to protect sensitive data. It includes administrative, technical, and physical safeguards tailored to the business.

Who is required to have a WISP?  Organizations that handle sensitive financial or personal data must have a WISP, including:

• Tax professionals (required by IRS as part of PTIN renewal)
• Financial institutions under GLBA and the FTC Safeguards Rule
• Healthcare providers under HIPAA
• Businesses operating in certain states such as Massachusetts and New York

What should a WISP include?  A strong WISP typically includes:

• Purpose and scope
• Roles and responsibilities
• Risk assessment process
• Security policies (access control, encryption, data classification)
• Employee training and awareness
• Monitoring and auditing procedures
• Incident response plan
• Regular review and update schedule

How does a WISP relate to SOC 2 and ISO 27001?  A WISP forms the foundation of an organization’s security program. It can align with:

• SOC 2 reports issued under AICPA standards (Type 1 or Type 2)
• ISO/IEC 27001 certification, which validates an Information Security Management System (ISMS)
• NIST frameworks, including the AI Risk Management Framework

Organizations already compliant with SOC 2 often have a strong starting point for implementing other frameworks.

Can you combine multiple security frameworks?  If pursuing formal certification or attestation, organizations must adhere to a specific framework. However, for internal risk management, companies may reference multiple frameworks where justified by risk assessments and business objectives.