Compare InfoSec Assurance Standards

Which standard is best for you?

There's many many standards out there. Some apply to specific regions, industries, or based on the scope of your services and customers. There's three main general purpose InfoSec standards for broad end-user purposes; SOC 1, SOC 2 and ISO 27001. Unless your customers have mandated one, we usually recommend SOC 2. We explain why in our SOC 2: Solving InfoSec in One Standard post.

Compare standards

 SOC 1 


Service Organisation Control 1 (SOC 1) is the term for the initial controls reporting standards for financial reporting objectives. It verifies the systems are managed effectively to support the security and integrity of the underlying data.

SOC 1 benefits from a long history of use in financial services and is well suited to services that have business process objectives beyond the core focus on technology and security. 

 SOC 2 


Service Organisation Control 2 (SOC 2) defines a framework and criteria to manage and report on modern technology risks and control practices. The core criteria covers Security, with optional criteria for Availability, Confidentiality, Processing Integrity and Privacy.

SOC 2 combines the increased assurance of “operating effectiveness” from the SOC standards, with the refined cybersecurity focus like the ISO 27001 standard - 'the best of both worlds'.

 ISO 27001 


ISO 27001 is a standard for designing and implementing an Information Security Management System (ISMS). The optional certification process confirms your conformance. There’s a set of mandatory requirements and an appendix of 114 prescribed control activities.

ISO 27001 is broadly used around the world and is widely recognised and supported. It’s the de-facto “best practice” approach to managing information security in an organisation.


Standard:  SOC 1   SOC 2   ISO 27001 
Deliverable: Attestation Report Attestation Report Certificate
Assurance: Design + Operating Effectiveness Design + Operating Effectiveness Design + Implementation
Applicability: International  International International
Industries: Financial Services All All
Nature: Control Objectives Trust Services Criteria Mandatory Req's
Issuer Qualification: Qualified Accountant (country-specific) Certified Public Accountant (AICPA) Accredited Certification Body
Implementation Cost: $ $ $$$
Audit Cost: $$ $$$ $$