Top 6 Misconceptions About ISO 27001 and SOC 2 | Expert Series

Compliance is a common source of confusion among CTOs. That’s especially true in the area of identity and access management (IAM), where some compliance management vendors are guilty of overcomplicating what’s required while at the same time delivering oversimplified templates — and this can create misconceptions. But the fact is, you can achieve compliance with greater flexibility than you may think.

To help illuminate this subject, we sat down with Danny Manimbo, Principal / ISO Practice Director at IT audit specialist Schellman, to run through some common misconceptions about ISO 27001 and SOC 2.

ISO and SOC: What’s the difference?

To start, it may help to clarify the difference between the two frameworks. Both require a risk assessment. But SOC 2 compliance is assessed via an attestation report, wherein a certified public accountant (CPA) provides an opinion on whether a firm is achieving the service commitments they’ve made to their user base (specifically, commitments related to applicable SOC 2 trust services criteria). ISO 27001, on the other hand, is a certification process during which a third-party certification body assesses whether an organization’s information security management system (ISMS) meets the requirements of the ISO standard. As such, ISO is more process driven.

What are the most important misconceptions about ISO 27001 and SOC 2?

1. ISO 27001 is more secure than SOC 2

This perception may be rooted in some organizations’ preferences, based on their geography and the markets they serve.

Folks are more used to seeing SOC 2 in the United States, but internationally they are more used to seeing ISO 27001

says Danny.

However, those worlds are starting to blend now that you have a lot more organizations working internationally.

In fact, both SOC 2 and ISO 27001 can be beneficial. So organizations really need to consider where the majority of their customers and prospects are located, understand what the competition is doing, and base their decision (SOC or ISO) on these market goals, while also considering internal resourcing and timing.

2. Once you achieve compliance, you’re done

ISO certification lasts for three years, but there’s no letup for organizations during this time.

We don’t just wave goodbye and come back in three years

says Danny.

There are surveillance reviews in years two and three to make sure the organization’s ISMS continues to function in accordance with the requirements of the ISO 27001 standard, and core activities like risk assessment and internal audit are still occurring. And we want to check that any changes in the system have been incorporated.

While there is no set rule about the minimum frequency of SOC examinations or when they “expire,” organizations typically have these examinations performed on an annual basis to demonstrate that their control environment consistently achieves their principal service commitments and manages specific outlined risks.

3. SOC 2 Type 1 and Type 2 are the same

Type 1 is a point-in-time review of and report on the controls and procedures an organization has put in place. That’s why most organizations start their SOC 2 journey here — for instance, if their products and services have just gone live and they don’t have the history to go back several months. But most organizations then progress to Type 2 to acquire a more formalized compliance attestation. This requires auditing over a formal review period — typically a year or at least six months.

4. There is no difference between SOC 2 reports

SOC 2 reports vary vastly depending on the organization, so it’s important during due diligence to read all four sections of the report, for every partner, vendor, supplier, and so on.

The first section of a report covers the opinion of the CPA firm, which sets the framework for the report, calls out any control deviations that didn’t operate effectively in the reporting period, and describes any modifications to the opinion that were made as a result. The second section contains the service organization’s assertion that all the controls were implemented and that they operated effectively. The third section contains a description of the system, the controls, and the organization’s principal service commitments, in terms of managing specific risks related to the applicable trust services criteria. The fourth section then lists all the controls that were tested, the nature of the tests performed, and the results of these tests.

Every company is different, so they’re going to have unique commitments, and unique controls and system requirements that are in place to meet those commitments

says Danny.

Even the same company could have multiple SOC reports for different services that they provide to different organizations.

5. Only screenshots count as valid evidence for auditors

They’re certainly not the holy grail. Auditors focus on whether the evidence’s completeness and accuracy provide reasonable assurance that the evidence can be relied on to reveal the operating effectiveness of controls. They must have faith in the evidence’s source. So screenshots can be useful, especially if they’re date- and time-stamped. But there are other ways of satisfying auditors, such as giving them access to data directly from Workday, rather than giving them data in a manually compiled Excel spreadsheet.

6. Specific activities must be performed to achieve compliance

This is a common misconception. In fact, neither SOC 2 nor ISO 27001 is so prescriptive.

They’re intentionally broad, and a lot is left up to the complying organization to define through policies and procedures or [in the case of SOC 2] commitments for specific risks

says Danny.

As mentioned, every organization is different, so each one will likely define different risks and then different controls, processes, and commitments they must adhere to. Organizations define the scope of SOC examinations and ISO certifications and typically limit the scope to the applications and systems that could have an impact on the services provided to customers and/or the security, availability, and/or confidentiality of their data (such as customer databases or systems that store customer data, and production infrastructure that supports the service offering). So once risk assessments have been run on these systems and once controls and policies (ISO) or commitments (SOC) are defined, auditors will simply determine whether they have been met and/or applied.

As an example, in the area of access controls, there’s nothing in ISO or SOC 2 requiring that:

• Users have to be offboarded within exactly X hours
• Access reviews have to be performed every X months
• The minimum character count in all passwords must be X

Some organizations may in the end choose to add these policies to their compliance document, according to their risk assessments. But ISO and SOC 2 don’t require them for all organizations.

Flexibility is key

As they work to achieve and maintain compliance, it’s important for organizations to seek out technologies, such as those for access management, that are flexible enough to support them with whatever granular controls they might need to deploy. These technologies should be customizable enough to enable organizations to set up whatever workflows they need, and they should enable them to automate as much as possible, to take the strain out of compliance.

Find out how AccessOwl can support your ISO 27001/SOC 2 requirements.