top of page

The questions most often asked

Clients ask several questions. We will try to respond to some of them.

Which compliance program should I choose (ISO 27001 or SOC 2)?

The two compliance programs have different qualities. ISO 27001 is a British compliance framework and is very popular in Europe.

SOC 2 is an American compliance program and well known in North America. If your customers require your compliance program, do they indicate what

standard your company must meet? If not, is the customer American

or European? These are clues to make the right choice.

On the other hand, it should be mentioned that the SOC 2 standard

will lead to a certification report (often more than 50 pages) while the

ISO 27001 will bring you a certificate (one page) that has a three

years of duration.

In a SOC 2 report, can I make links with other compliance

standards (RGPD, NIST, HITRUST, and others)? 

A SOC 2 report has at least four highly standardized sections (the opinion

of the auditor, the assertion, the description, and the control section). The

last part of the report is available to the client without the auditor giving an

opinion. In this section, a client could make connections between controls

in the SOC 2 report and others such as RGPD, NIST, and HITRUST.

Also, some compliance programs such as HITRUST or CSA frameworks have

agreements with AICPA to integrate their compliance frameworks

into the SOC 2 report. 

Why does my company have to comply? All my infrastructures are in the cloud?

An organization is always responsible for its data, even if it is hosted entirely in the cloud. A host (e.g., AWS or Azure) will never be responsible for the client's data. Also, a compliance program is not limited to hosting infrastructure.

**NEW**Is there a specific compliance framework for GDPR?

Yes, since August 2019, ISO 27701 has been published to address all GDPR compliance issues. If your organization complies with ISO 27001, you need to complete the clauses 5 up to 8 of the ISO 27701 framework. You need an Information Security Information System (ISMS) to comply with ISO 27001, whereas you need a Privacy Information Management System (PIMS) to comply with ISO 27701.

Do I have to comply with all ISO 27001 objectives?

In principle, the answer is yes. On the other hand, if an organization, by its business reality, does not have to apply a specific objective, this objective will be excluded from the scope of the audit.

However, the reason for the exclusion will have to be documented. Also, the organization will have to precisely define what the scope of the audit is, for example, certain subsidiaries or services could be excluded from the scope of the examination. The scope of the audit should be well defined at the beginning of the compliance process.

My organization works in French. A SOC 2 report is required. Does the documentation have to be prepared in English?

The SOC 2 report will be written in English. On the other hand, the organization will be able to document its policies, procedures, or guides in the language of its choice.

It may be relevant for some documents to be written in both English and the language used by the organization. The reason being that some national or international customers may require to see them (e.g. security policy).

What is the difference between a Type 1 and Type 2 SOC 2 report?

The first report an organization will make will be a Type 1 report, which means it will be issued for a specific date. The auditor will not do any tests to ensure that the controls have worked properly.

Following the issuance of a first Type 1 report, a Type 2 report is issued for a period of six months or more. The auditor will perform tests with samples, and he will provide an opinion that will indicate whether the controls are appropriately designed and if they worked with effectiveness for the audit period.

For a SOC 2 report, what do the criteria and principles mean?

SOC 2 was developed by AICPA (USA). In 2017, AICPA introduced the new version of the standard (SSAE 18) with a strong influence from the COSO internal control framework.

The concept of principles (5) relates to the different types of reports a client may request:

  • Security (33 criteria) - mandatory common criteria

  • Confidentiality (2 additional criteria)

  • Availability (3 additional criteria)

  • Processing Integrity (5 additional criteria)

  • Privacy (18 additional criteria)

 

The word criterion means the control objectives that the customer will have to meet to obtain certification. For each criterion, the client will implement several custom controls.  Finally, the Security principle is mandatory, but the client can insert the other four principles at his discretion.

My company is Canadian, does the GDPR affect me?

If you host or process the personal information of European citizens, yes the regulation applies fully. However, the level of risk of the business must be appropriately assessed.

If a Canadian company has only a few European employees, the level of risk is not high enough to invest large sums of money on this issue.  The Canadian companies most affected by the GDPR remain those that act as subcontractors for large international companies and that they exchange private data of European citizens with Canadian companies.

 

In this case, the Canadian company becomes a "data processor" and works collegially with the large company that is the "data controller."

If my company complies with ISO 27001, does my company comply with the RGPD regulation?

Many people in Europe believe this myth; in fact, it is quite false. The GDPR targets explicitly personal data and ISO 27001 is primarily about the security of an information system (ISMS). Indeed, some of ISO 27001's control objectives are related to GDPR (e.g., security policy, security incident response, monitoring, encryption).

ISO 27001 is still a good working base, and by adding several additional measures or controls to ISO 27001, a company can effectively comply with the GDPR.

In August 2019, a new ISO 27701 framework has been published regarding privacy issues. The extension to ISO 27001 and ISO 27002 for privacy information management ensures that all types of organizations will find a specific compliance framework for the GDPR. ISO 27701 is one of the first compliance frameworks which address GDPR regulations. 

Q&R-conformité TI-SOC 2
Q&A compliance - SOC 2 report
bottom of page