Third Party Risk ManagementTPRM Tuesday

TPRM Tuesday #6: What are the key differences between SOC 2 and ISO 27001?

It’s Tuesday and it’s time for our TPRM Tuesday blog post. Today we will be covering key differences between SOC2 and ISO 27001. These questions have come up on multiple occasions. This explains why they are both required for due diligence and why an ISO 27001 certificate is not an alternative to SOC2.

What are the key differences between SOC 2 and ISO 27001?

🙏🏿institution Preferences
-US institutions prefer SOC2.
-EU institutions prefer ISO27001.

-SOC2 is an audit control within a specific “system”. Systems include the infrastructure, software, procedures, and data that are designed, implemented, and operated by people to achieve business objectives.
-ISO27001 is an audit of an organization’s information security management system (ISMS). An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving information security to meet business objectives.

-SOC2 results in an attestation report including an opinion on whether controls were designed and operating effectively. lt includes multiple sections describing control details and tests performed.
-ISO27001 results in a certification. A certificate will be issued by a Certification Body. An audit report will be provided to the auditee. This report is not provided to institutions and is only meant for the auditee.

🔎Audit Steps
-SOC2 does not define the process for completing an audit.
-ISO27001 defines the certification process. Initial certification requires a Stage 1 and Stage 2 audit to be completed. After Stage 2, assuming no major nonconformities, certification will be issued.

-SOC2 does not require a yearly audit, but institutions typically require a SOC2 Type 2 to be performed on an annual basis.
-ISO27001 requires surveillance audits to be performed in years 2 and 3 (not full system audits). Recertification (full ISMS audit) is required 3 years from the date of initial certification.

-Findings are noted in the SOC2 report regardless of severity. Corrective actions are documented in section 5. Depending on the severity, a qualified opinion might be issued.
-ISO27001 minor nonconformities are noted in the audit report, however, you will still be issued a certification with nonconformities. If a minor nonconformity is not corrected by the surveillance audit, it will automatically become a major nonconformity. Certifications cannot be granted until all major nonconformities are validated as corrected.

🧑🏽‍💼Internal Audit
-SOC2 does not require internal audits to be performed.
-ISO27001 requires organizations to perform annual internal audits covering their ISMS. Internal audits must be performed by individuals independent of the ISMS “operating managers”.

-SOC2 does not define required controls.
-ISO27001 defines required baseline controls in ISO27002.

-The AICPA governs the SOC2 standards and monitors CPA firms to ensure they are performing audits correctly.
-The ISO governs the ISO27001 standard. Certification Bodies perform certification audits using ISO27001 Lead Auditors. Certification Bodies must be accredited by Accreditation Bodies that are certified by the International Accreditation Forum.

We are glad to bring you these postings. Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program.