In case you are following my previous posts (link 1, link 2), you must be aware that I have been reading and posting a lot of thoughts on different ISO frameworks. But reading about these frameworks reminds me of a quote by Socrates – The more I know, the more I realize I know nothing.
After 4 months of trial, error, and reading, I think I know a reasonable amount of information and differences to hold a meaningful conversation about these frameworks.
Following are some of my key thoughts that have helped me understand the difference between the frameworks/concepts mentioned in the heading.
First things first, please be clear that ISO 27001 is a certification and SOC is not. Again, ISO 27001 is a certification. SOC is not. This is one of the most crucial difference you should know while starting to learn about these concepts.
When you say you are ISO 27001 certified, it means an external certification body like BSI. Remember, ISO doesn’t certify anyone, therefore you can’t say you are certified by ISO. You are certified in a particular standard, therefore you should state that you are certified in ISO 27001 by BSI.
Why get certified?
Now you ask, I already have all the security controls required in place, then why should I take the extra efforts of getting myself certified by an external body?
Because certification can be a useful tool to add credibility, by demonstrating that your product or service meets the expectations of your customers. For some industries, certification is a legal or contractual requirement[1].
But what does it really mean to say my company is certified in ISO 270001?
This means that an external body assessed you against the 114 controls in 14 clauses mentioned in the 27001 standard provided by ISO and found you to be compliant with all those controls.
Confused? Okay. Again.
ISO, which is an organization that creates standards, created ISO 27001 for ISMS. Some certification body (think BSI) came to your premises and asked you what all controls do you have and on the basis of your responses either certified you or recommended how to comply with these controls.
Once you are done with the entire certification process, they will give you a certificate (yes, an actual certificate that you can frame) that you have all the security controls per the ISO 27001 standard.
All right. But what is SOC?
First things first, SOC is an acronym for System & Organization Controls.
SOC is basically a compliance report issued by a third party to assess against the AICPA‘s trust service criteria. Think of AICPA as just another organization like ISO and trust service criteria as clauses in ISO 27001 standard.
But do they overlap?
Oh, surely do. So much so that AICPA has a mapping done to tick the SOC service criteria if you already comply with the ISO.
But what’s SOC 1, SOC 2, SOC 3?
To understand these reports, remember the following:
SOC 1 – deals with controls at service organization’s Internal controls over financial reporting systems
SOC 2 – reports on controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
SOC 3 – some organizations do not want to disclose the entire SOC 2 report which has all the security controls listed, therefore a SOC 3 report is issued. Consider this as a summary of the overall SOC 2 report.
Now what is Type 1 vs Type 2?
Firstly, Type 1 and Type 2 are applicable for only SOC 1 and SOC 2 reports, so only 4 combinations – SOC 1 Type 1, SOC 1 Type 2, SOC 2 Type 1, & SOC 1 Type 1.
A Type 1 audit means that controls were assessed at a particular instance of time and the evidence may or may not be asked, but a Type 2 audit means that controls were assessed over a period of time (typically 6 months) and evidence for each of the control is collected for each of the control.
To conclude, SOC 2 Type 2 is considered to be the most robust report to be used by the service organizations as a proof that they have all (or majority) of the security controls working over a period of time.