The two most common globally recognised, cross-industry, information security standards, are SOC 2 and ISO 27001. Despite about 80% overlap in what they cover, they have significant differences in practice.
There are many different compliance standards out there. Our CXO Guide to Security and Compliance has a table of the various global standards that commonly apply to software companies. We'll compare the two main entry-level standards below. Post-Covid, we’ve seen a huge increase in multi-standard compliance. It’s common to start with one of the below two standards, but increasingly important to consider a future roadmap of where additional standards may be needed.
SOC 2 vs. ISO 27001
SOC 2 and ISO 27001 are the two most common global information security standards, each rising from a family of standards that date back decades. Most large enterprise will recognise either standard interchangeably. There’s about 80% overlap between the two standards in the information security practices they cover. That said, there’s some quite significant differences with how they work in practice.
The customer view
If your goal is enterprise sales or ticking the box on a customer requirement, then it's important to consider the preferred standard(s) of your customers. Regulated industries like finance and healthcare, tend to prefer the SOC family of standards. Less regulated customers and government agencies (in Australia), generally prefer the ISO family of standards.
SOC 2 is more prevalent in the US. ISO 27001 is more prevalent in Europe. Most companies start with one of the two standards, but it’s pretty common to cover both in order to cover all bases and reduce the friction for customers that have a preference one way or the other. The reason companies often do both, is that by covering both bases it removes the friction for customers that have a preference one way over the other.
Guido Santo, VP Cybersecurity, Rokt explains; "we were already ISO 27001 certified, but SOC 2 was an important step in further maturing Rokt’s compliance program. Most of our business is conducted in the U.S. market and clients there typically want to see SOC 2 reports. We wanted to avoid potential sales blockers."
The business perspective
The SOC 2 standard is more flexible, more operationally focused, and sets a less stringent minimum bar. That makes it appealing to cloud software companies in particular. Often these companies want to minimise the burden on their teams, with less documentation and less administrative burden. ISO 27001 in contrast, can take out some of the guesswork. It’s a more prescribed standard with a mature market of consulting providers, templates, and guidance, so it can be easier to just follow the script. It would be remiss not to mention, ISO 27001 audits are often cited as extremely painful. The greater focus on face-to-face audit work, and carving out large chunks of time for the audits, can cause more business disruption, and are really tiring for everyone involved (including our team!).
Brad Shaw, CEO, Livepro explains; “Taking things in bite-sized chunks enables you to action things within the business as you go, rather than having a big bang approach. It allowed me to continue to run the business while also using the SOC 2 process to identify better practice management processes. Lots was achieved without the stress of deadlines.”
The deliverables
ISO 27001 is a certification, where you receive a one-page certificate to share with customers. If it’s an accredited certification - by an accredited certification body - it’s also reflected in an online register that can be searched by customers. In some cases, you might also share your statement of applicability (SoA) that details which controls you have implemented.
SOC 2 is an attestation report, which is often confused with a certification. It’s a detailed report that overviews your company, your services, and the scope of your “system”. The system is your infrastructure, software, data, people and processes that support the service(s) being reported on. It also includes your control activities mapped to the criteria, and important elements of what is out of scope; the reliance on critical third-parties, and where end users have important responsibilities like managing their own access to your software.
The TL;DR, a SOC 2 report gives further detail to end users, which is favoured when it comes to due diligence and covers more of what they want to know.
The cost
It can be challenging to compare the costs of SOC 2 and ISO 27001, as they are not like-for-like. They also vary significantly between countries and providers. ISO 27001 is a three year certification cycle. The costs are larger in year 1 for initial certification, and lower in years 2 and 3 when you conduct surveillance audits.
SOC 2 is not defined by a certification period so you can choose when to issue the reports. The industry standard is a Type 1 report in Year 1, followed by a Type 2 report; either later in Year 1, or in Year 2, and then it’s usually every 12 months thereafter as an annual recurring report.
The SOC 2 audits tend to cost more than the ISO 27001 audits, at least when factoring in the three year timeframe. However, it’s important to also consider that ISO 27001 tends to rely on consulting support to help you implement it, and conduct the required internal audits. That means overall the cost of ISO 27001 can be higher with all pieces factored in.
Looking forward
The compliance landscape is rapidly evolving, where multi-standard compliance is becoming the norm. It’s increasingly important for companies to plan forward with their compliance requirements, considering the geographies, industries and future expectations that will impact their compliance requirements.
When it comes to SOC 2 vs. ISO 27001, the SOC 2 standard is more flexible, which allows it to fit well with other standards. It’s become common to see SOC 2 + HIPAA, GDPR, Californian Privacy, Consumer Data Right, CSA STAR, or other standards and regulations that may also be required.
SOC 2 also has the additional Trust Services Criteria areas for Availability, Confidentiality, Processing Integrity and Privacy. Enterprise customers often place a lot of focus on the Availability (reliability) element, and Privacy is a rapidly emerging area of concern as well. ISO 27001 does link well with other ISO standards, like ISO 27701 to cover Privacy, however, not as well with other standards outside of the ISO family.
The bottom line
Both SOC 2 and ISO 27001 are great globally recognised, cross-industry standards that build an effective compliance foundation. Based on their differences above, many companies do both. There are synergies and additional benefits of doing so. If you do prefer to choose one, it’s important to consider your customers preference, what works best for your team, and how it fits with your future plans.