top of page

SOC 2 and ISO 27001 - Which compliance standard to choose?

Small businesses in Quebec that do business with large Canadian, U.S. or European companies are increasingly required to comply with SOC 2 or ISO 27001 compliance frameworks. Sometimes in contracts, the choice is left to the small business.

When the large international client company leaves the choice to the small organization, the company is, for the most part, perplexed and indecisive. What standard should our company have to be preferred?

At this stage, often, a company will seek outside advice to make the best choice. First, it is essential to define these two compliance standards at a very high level.

SOC 2 is an American standard supported by the American Institute of Certified Public Accountants (AICPA). When a company meets the SOC 2 standard, it will obtain a report audited by Chartered Professional Accountants (CPA). This report will be comprehensive and will describe all the company's IT practices and controls. Yearly, a company must have its SOC 2 compliance report audited. This standard is not a controls framework; we could define it more as a methodology. For a small business, an SOC 2 report often exceeds 60 pages.

ISO 27001 is an IT controls framework that is supported by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). An ISO accredited auditor will be able to ensure that the company complies with the ISO 27001 framework. Following the annual audit, a certificate (one page) will be issued for three years. The ISO auditor will do a full audit in the first year and a partial audit for the following two years.

What are the advantages of one standard over the other?

 

SOC 2

  1. Highly recognized compliance methodology in America. In progress in Europe.

  2. SOC 2 is the aggregator par excellence. All control frameworks can be used to meet SOC 2, including ISO 27001.

  3. Companies that require the compliance report know precisely what the scope of the audit and the results for each control measure is.

  4. The audit is more comprehensive and rigorous than for ISO 27001.

  5. SOC 2 may cover privacy controls as appropriate.

  6. The report is signed by a leading and well-known accounting firm.

  7. It is easier to find an accounting firm to sign a SOC 2 report than an ISO auditor that will sign the certificate.

 

ISO 27001

  1. Complete and recognized controls framework (14 categories and 114 IT controls).

  2. Better recognized in Europe than in America. In progress in America.

  3. The ISO 27001 audit is less tedious than the SOC 2 audit.

  4. Only one full audit every three years.

  5. ISO 27001, paired with ISO 27701, covers privacy controls as required.

  6. The professional fees of the annual audit ISO 27001 are significantly less than for a SOC 2 audit.

 

In my practice, clients often ask me which compliance standard is best, and what should be their choice? Here are the types of answers I ask them:

  1. Whatever the decision, the effort required by the company's employees will be quite similar.

  2. If the company does business with an external consultant to accompany them, whatever the choice, the effort will also be quite similar to the external consultant.

  3. The client must carefully check his contract and the clause requiring a certification report. Does it have the choice, or a specific standard is needed?

  4. What is the client's objective? Responding to a one-time request and freeing yourself from a burden or taking advantage of it to improve the IT processes of your organization?

  5. Is audit professional fees are the main argument that will guide their decisions?

  6. Does the client want to demonstrate, textually, to their customers and future customers that they have a set of IT processes and controls in place?

These questions allow different clients to fully understand the issues and make the right choice for their business. Generally, if for the customer the professional fees of the audit are the main argument, it will always select the ISO 27001. If, on the other hand, the professional fees of the audit are a sensitive argument, but the main argument is the quality of the information conveyed, the customer will, most of the time, select the SOC 2 report.

Sometimes the customer will want both types of compliance. In this case, the simplest solution is to use the ISO 27001 control framework as the source of controls that will allow obtaining the SOC 2 report. ISO 27001 controls will be used to meet the various SOC 2 criteria.

For example, to meet the "Security" principle of SOC 2, thirty-three criteria must be met. To comply with these 33 criteria, the 114 ISO 27001 control measures will be used.

*     Service Organization Control (SOC 2)

Come back to the discussion page...

bottom of page