Managing the move from ISO 27001 certification to SOC 2 completion
It’s a story that is becoming more and more common.
You’ve been through the process of getting ISO 27001 certified - which takes a lot of work, educating yourself on the requirements, preparing the documentation, and implementing and operating the program. It’s a significant accomplishment, and you have satisfied the compliance needs of your European customers. Still, as you look to expand into the United States, you start hearing questions about a different acronym from those prospects - where is your SOC 2 report?
Likely, you can share your ISO 27001 certification, perhaps explain to them what it means, and that probably gets you past the initial security review, but the new friction has motivated you to start exploring the SOC 2 process.
If that sounds like the situation - you have come to the right place. And if you do this right - most of the work you need to complete your SOC 2 report is already complete.
What is a SOC 2 report?
Service Organization Control Type 2 or “SOC 2” is a reporting and audit framework designed by the American Institute of Certified Public Accountants (AICPA). It helps companies define and communicate how they manage, process, and store customer data in a written report validated by an independent 3rd party that meets specific requirements and quality control standards.
The critical aspect of SOC 2 to understand is that it is a reporting framework (rather than a compliance framework), which means there is guidance for controls but no prescriptive list of standards or requirements. Instead, the AICPA has provided the Trust Services Criteria (TSC), which provide a set of outcomes a system should meet to achieve its business objectives. For example, the first criterion (CC1.1) provided in the TSC is “the entity demonstrates a commitment to integrity and ethical values,” and is expected to identify controls to meet that objective, which can be achieved by establishing standards of conduct, evaluating performance against those standards, and establishing a tone at the top that supports the functioning of internal controls.
As a reporting framework, SOC 2 is not a measurement of the maturity of your organization or its security posture. There are no minimum requirements. The expectation is that your controls meet what you’ve defined as your “service commitments and system requirements.” In reality, you’re creating a benchmark that your security program is consistent with the promises you’ve made internally and externally. It’s holding you accountable and providing a 3rd party opinion validating you’re doing the things you communicate to customers in contracts and marketing documents.
Because of the lack of requirements, each SOC 2 report can look different from company to company since every company’s security needs and resources are different. One reason for the service's popularity is its flexibility, which can make the process feel more approachable than other compliance frameworks.
You complete your report by identifying your business objectives, aligning the controls you have to meet those objectives with the TSC, and summarizing the information in a narrative describing the processes and systems involved in securing customer information. The report is then evaluated by the auditor against the TSC, and the related controls are subject to auditing procedures.
How is a SOC 2 report different from an ISO 27001 certification?
ISO 27001 establishes standards for implementing an information security management system (ISMS) overseen by the International Organization for Standardization (ISO). Conformity with the standard means your business established a system to manage security risks, and certification allows you to demonstrate a commitment to manage information securely and safely. So, where the framework for a SOC 2 report provides complete flexibility, that is different for ISO 27001, where your systems for risk management are required to meet a specific set of standards.
That difference between a reporting framework and a control framework is critical to understand if you’re ISO compliant because it should take the pressure off when you start looking at completing your SOC 2 report. The foundations of ISO - risk assessment, documented policies, and a systematic approach to making security decisions - transfer directly to your SOC 2 report. For that reason, one of the biggest hurdles to completing your SOC 2 report (lack of specific requirements) is overcome entirely by ISO, which is why it’s generally the best place to start if you know you will do both when you create a compliance program.
High-level differences in a SOC 2 report and ISO 27001 certification
Does moving from ISO to SOC 2 require new controls? Am I starting over?
Emphatically - no. Each has different focus areas, reporting, and auditor guidelines, but share a focus on how you address information security, your approach to mitigating information security risks, and ensuring you have controls in place to maintain information security. The primary goal of both is to prove to your customers that security is your top priority. The hard work you put into your ISO 27001 certification truly gives you a head start in completing your SOC 2 attestation.
If you’ve gone through the process as designed and are working with qualified auditors, the work you need to do should be limited to evaluating controls against the TSC and preparing a system description. However, the SOC 2 framework offers different areas of emphasis, and it would be a mistake to jump right into a SOC 2 engagement without evaluating how well your organization handles those differences (and how well they are documented). But with strong people and tools supporting you, the process can be relatively simple.
Your ISO 27001 auditor will likely be different from your SOC 2 auditor, so much of the focus in moving from ISO 27001 certification to SOC 2 completion will be focused on organizing information in a way that best supports the different framework. Auditors have varying processes and opinions, so it’s best to engage with an auditor in the planning process and work with them as a sounding board while you review your SOC 2 readiness.
How do I leverage my ISO work and prepare for SOC 2?
If it still sounds overwhelming or a bit confusing, here’s an example of the overlap between the two frameworks and how you can leverage the work you’ve already completed for your ISO 27001 certification.
The ISO Requirement 5.3 focuses on defining and maintaining clear organizational roles, responsibilities, and authorities.
SOC 2 Common Criteria (CC) 1.3 states that the management should establish structures, reporting lines and appropriate powers and responsibilities to achieve the objectives under the supervision of the Management Board.
Both aim to lay out the structure of an organization, the responsibilities of each role, and the certainty individuals have the appropriate authority to make decisions. The organizational chart, job descriptions, and policy documents you created to comply with ISO Requirement 5.3 will also be the controls you use to satisfy CC1.3 in your SOC 2 report.
The key challenge to this process is identifying that bridge between ISO requirements and TSC, and there can be significant judgment involved. It’s important to be specific and clear about which controls satisfy each criteria and ensure appropriate documentation is available, and in a format your auditor will understand and accept.
Can Secfix help with the transition?
Secfix began by simplifying the lives of small and medium-sized businesses by enabling them to become secure and ISO 27001 compliant. They built software to help automate security and compliance for these businesses. As Secfix has grown, so have their offerings, and their compliance management platform also supports the SOC 2 reporting framework. Who better to help you transition from ISO 27001 to SOC 2 attestation than the company who built the back-end platform to do precisely that.
This blog was co-authored by MJD Advisors and Secfix!