Soc 2 attestation or ISO 27001 certification - Which is better for organization

1
DATE- 29.06.2020
SOC2 Attestation or ISO27001 Certification
Which is applicable to your organization?
01.
2
Introduction
02.

• Organizations struggle with the decision between
  selecting the SOC 2 attestation or ISO 27001
  Certification.
• Both the audits provide a competitive advantage
  in todays Information security landscape.
• It is important to understand which audit is
  required suitable for your organization.
• Essential to understand which audit can be
  utilized to gain advantages over the market
  competition and achieve compliance with a
  regulatory requirement.
• We have drawn out a comparative study between SO2
  examination and ISO 27001 certification for an
  organizations better understanding.

3
03.
Explaining SOC2 Audit Report

• SOC 2 audit evaluates the internal controls,
  policies, and procedures relating to the AICPAs
  Trust Services Criteria.
• Focuses on a service organizations internal
  controls, pertaining to Security, Availability,
  Processing Integrity, Confidentiality, and
  Privacy of a system/process.
• It is a powerful market differentiator that can
  help companies gain a competitive edge over
  others in their industry

4
04.
Explaining ISO27001 Certification

• It is an internationally-accepted Information
  Security Standard for governing an organizations
  Information Security Management System (ISMS).
• It is a framework of policies and procedures that
  preserves the confidentiality, integrity, and
  availability of an organization's information by
  applying the Risk Management Process.
• The Standard Regulates how organizations
  effectively run an ISMS through policies and
  procedures and associated legal, physical, and
  technical controls.
• An organization needs to integrate ISMS with the
  companys operational process, and overall
  management structure.

5
05.
Similarities between ISO27001 Certification and
SOC2 Report
Addresses Information Security
Addresses Information Security
Implementation of Policy and Procedure
Assessors for Audit
Demonstrates Management Commitment
International Applicability
Management Roles Responsibility-
6
06.
Differences between ISO27001 Certification
SOC2 Report
Titles
SOC2 Attestation
ISO27001 Certification
The focus is to measure and validate the
capabilities of the service organization's
control system against Security Principles
Criteria.
The main focus is to establish, implement
maintain, and improve an ISMS.
Focus
Scope Applicability
The scope depends on the organization's service
controls which are based on the 5 Trust Service
Principles
The scope and applicability of ISO 27001
Certificate can be defined based on an
organizations objective and priority
Facilitate service organization management in
reporting to their customers that they have met
established security criteria that ensure systems
are protected against unauthorized access
Help organizations establish and achieve
certification stating that the company meets
specified requirements and is thus certified as
best practice.
Purpose
Certification/ Attestation
SOC2 reporting is not a certification but an
Attestation.
ISO27001 is a certification
7
07.
Differences between ISO27001 Certification
SOC2 Report
Titles
SOC2 Attestation
ISO27001 Certification
An attestation report which includes an opinion
letter, an assertion letter, a system description
containing an extensive narrative on the five key
components of the organizations system under
review, organizational procedures, and finally
the applicable trust services criteria, related
control activities, and the testing performed by
the auditor and the related test results
The deliverable for an ISO 27001 is a certificate
which includes information on the ISMS scope,
in-scope locations, standard certified against,
date of certificate issued and date of
expiration, etc.
Deliverables
Certifying Authority
Only a licensed CPA firm can conduct the SOC2
Audit and provide an attestation for the same.
Only a recognized ISO27001 accredited registrar
can certify an organization for ISO27001.
Organization Applicability
SOC2 Compliance applies to only service
organizations that store, process and
transmits customer data.
The Standard applies to any organization and
industry vertical who wish to strengthen and
secure their Information Security Systems.
8
Differences between ISO27001 Certification
SOC2 Report
08.
Titles
SOC2 Attestation
ISO27001 Certification
Market Applicability
The SOC 2 attestation is a recognized standard in
the United States, created and governed by the
AICPA
ISO 27001 is an international standard accepted
globally.
ISO27001 usually takes 12-18 months to complete,
but depending on the additional process and
documentation required to install an operating
ISMS.
It typically takes 12-18 months to complete an
entire process from start to finish for SOC 2
Type 1 Type 2 attestation.
Time Frame
ISO27001 Certification is valid for 3 years with
basic compliance audits conducted in the 2nd and
3rd year.
SOC2 Attestation is valid only for 1 year and
needs an annual audit
Validity
9
09.

• Which market does your organization plan to
  target?
• What assessments are customers requesting?
• What assessments are your competitors undergoing?

10
Conclusion
10.

• Both ISO27001 SOC2 are excellent compliance
  efforts for organizations to demonstrate
  operating effectiveness of their internal
  controls, and their compliance with regulatory
  requirements.
• Considering the key decision factors may help
  your organization determine the appropriate
  assessment for your organization.
• Looking at the wider coverage, if your
  organization is going ahead with SOC2 then you
  will by default meet the requirements of ISO
  27001 Certificate.

11
Thank You
Get In Touch (W) https//www.vistainfosec.com/
(E-mail) info_at_vistainfosec.com