Standards come in a variety of forms. Some standards help you comply with requirements. Some standards help you prove your compliance to others. SOC 2 and ISO 27001 complement each other by giving you a strategy for securing your information landscape and proving the security of your environment. Creating a business strategy that helps propel your company forward requires understanding how ISO 27001 compliance can enable successful SOC 2 reports.
SOC 2 vs. ISO 27001: Choosing the Right Assessment for Your Organization?
What is ISO 27001 compliance?
Designed by the International Standards Organization (ISO), ISO 27001 established industry requirements for an information security management system (ISMS). ISO 27001 primarily focuses on preserving the confidentiality, integrity, and availability of information as part of the risk management process. Since ISO 27001 lists a series of controls in Annex A, it creates a flexible approach to security. These extended control sets offer management the option to avoid, transfer, or accept risks rather than mitigate them through controls.
What is an ISMS?
An organization’s ISMS should discuss data, technology, and employee behavior. For example, employee security awareness and password protection awareness should be part of the overarching data protection corporate culture.
While ISO/IEC 27001 specifies creating an ISMS, it only offers suggestions for actions rather than requiring specific activities. Some of these ideas include internal audits, continual monitoring, and corrective or preventive measures.
What is a SOC 2 report?
A Service Organization Control report, or SOC report, comes in three flavors. Your organization can use these reports to review potential third-party service providers or be used by your customers to review your company’s information security as part of their vendor management program. While SOC 1 reports are traditionally used to prove controls over financial reporting, SOC 2 incorporates Trust Services Criteria (TSC) for general IT controls. These reports help assure your upstream and downstream customers that you can protect their data.
SOC 2 reports can be either a Type I or Type II report. A Type I report focuses on management’s description management’s description of the company’s controls and effectiveness at a point in time. The auditor then prepares the report based on this description in conjunction with their professional opinion.
A Type II report, however, invokes the American Institute of Certified Public Accountants (AICPA) attestation requirements. Type II focuses on more than a single-moment-in-time and reviews a period of time. Management must incorporate documentation proving the effectiveness of its controls throughout the audit period.
The primary difference between these two types of SOC 2 reports is that one shows the effectiveness of a single day in the life while another shows that the controls protect information over a period of time. The longer-term assurance offers customers additional information when they need to determine your ability to protect their data. However, this also means that the process takes longer and costs more.
How does ISO 27001 compliance enable a successful SOC 2report?
As part of the SOC reporting process, your company needs to be able to show that it meets the documentation requirements established by the AICPA. Until May 2017, the AICPA focused on the Statement on Standards for Attestation Engagements (SSAE) 16 requirement. However, the current attestation requirement SSAE 18 made a few adjustments to the documentation required to prove controls.
The SSAE 18 attestation requires a review of your vendors as well as your own controls. This is how your ISMS helps protect your organization while also engaging in protecting your own data. The ISO 27001 risk assessment process requires you to focus on vendor risk as well as your own. Therefore, using ISO 27001 ISMS as the foundation for your security management means that you are already engaging in many of the activities necessary for a success SOC 2 audit under the SSAE 18 attestations.
What ISO 27001 says about vendor management
Part of the vendor management process under ISO 27001 is ensuring that you establish an appropriate service level agreement (SLA) protecting all data within your ecosystem. These clauses help you ensure that not only your data but also your customer data is safe.
Next, you need to ensure your vendors maintain safe data environments as promised in the SLAs. This requires you to continuously monitor your vendors’ activities. In many ways, you’re auditing your vendors to make sure that they live up to the promises they make.
The most important aspect of any vendor relationship, however, lies in your control over your own information. Despite contracts and monitoring, your company needs to establish access controls and monitor those as part of your daily operations. Vendors should have the least amount of access to your data environment that they need to successfully do their jobs.
How ISO 27001 and SOC 2 work together
ISO 27001 focuses on your control over your data and your vendors. Just as you use SOC 2 reports to review your vendors so do your clients review your compliance with the SOC 2 reports that you provide them. ISO 27001 offers risk-based guidance that enables data protection. By focusing on the assets specific to your company, you can choose controls that best manage your information landscape. Similarly, ISO 27001 establishes a roadmap that can help your auditor meet the SSAE 18 attestation requirements.
All the ongoing tracking and monitoring in auditing involve a series of unending documentation that feels like a combination of a tornado and avalanche.
How ZenGRC eases the burden of ISO 27001 and SOC 2 documentation
As SOC 2 documentation becomes more complex with more service providers and subservice providers to manage, organizing the information in a single location becomes more important. When your auditor comes to validate your ISO 27001 control environment, they will consider management’s oversight of third-party service providers as well as its own controls. This oversight revolves mostly around documentation and its review. Proving this to auditors means having a system of record to show the whos, whens, and hows of review.
With this in mind, automation provides not only a repository for that documentation but also a way to create the documentation. With records of task assignments and completions, ZenGRC automation gives you a single source of truth for the oversight needed to meet SSAE 18 attestation requirements.
In an ever evolving security and audit environment, managing your own data landscape involves ensuring that your vendors also manage theirs. In order to prove ongoing monitoring and compliance, the cyclic use ISO 27001 and SOC 2 documentation allows you to create a safer data ecosystem. Managing the documentation and responsibilities to meet these new standards means finding ways to organize information.
For more information about the importance of vendor management, watch our webinar “Follow the Data: 9 Strategies to Making 3rd Party Risk Less Opaque.”