What is a SOC 2 and what is the Key Differences SOC 2 vs. ISO 27001?

Updated: Nov 5, 2021

SOC 2 is a set of reports produced during an audit, performed by an independent Certified Public Accountant (CPA) or accounting organization.

The content of these reports is defined by the American Institute of Certified Public Accountants ( AICPA ). SOC 2 validates the internal controls related to the information systems involved in the services provided, based on five semi-overlapping categories called Trust Services Criteria (TSC). Originally it was very common in the US but the globalization of services in the cloud has made this type of audit increasingly requested in any country.

The growing importance of this report over the others is that it is usually the most used to address a double question: Is the information secure and how can we be convinced that we know it? The SOC 2 standard is an audit on internal controls related to information technology, verifying the obligations and commitments of IT, Cloud, and Hosting service providers.

Since the content of the reports does not require an objective component of "pass or fail", only the auditor's opinion, which is subjective, the audit reports are not certifiable under SOC 2. Only compliance with the requirements can be certified. SOC 2 requirements and this certification can only be performed by a licensed CPA.

The main objective of these reports is to define the maximum internal control over the financial information of another company that an entity manages. This type of verification helps convey security and reliability to customers.

There are two types of SOC 2 reports. Type 1 reports cover the description of the system of the services and show whether the proposed controls support the objectives that the organization wants to achieve. SOC 2 Type 2 reports also cover the description of the service systems and show whether the proposed controls support the objectives that the organization wants to achieve, as well as whether these controls operate as expected over a while (usually between 6 months and 1 year).

Examples of objectives to be achieved through the use of the service systems are increased profitability, reduced losses/expenses, operational optimization, compliance with legal requirements, etc.

As mentioned, SOC 2 reports focus on how controls meet five categories:

  • Security: information and systems are protected against risks that can compromise them and affect the organization's ability to meet defined objectives.

  • Availability: information and systems must be available when necessary so that the organization can meet its objectives.

  • The integrity of processing: the processing of the system must provide reliable information when authorized so that the organization can achieve its objectives.

  • Confidentiality: Only authorized personnel can access the information so that the organization can achieve its objectives.

  • Privacy - Personal information is managed in a way that enables the organization to achieve its objectives.

The content of a SOC 2 audit report should cover:

  • Management affirmation: confirmation by management that the systems related to the services provided are fairly described in the report.

  • Auditor's report: summary of the tests and results performed, and the auditor's opinion on the effectiveness of its controls.

  • Systems Overview - A detailed description of the system or service.

  • Applicable trust service criteria: established controls, as well as the effectiveness of those controls taking into account the trust service criteria.

What is the meaning of ISO 27001?

ISO 27001 is a standard that defines requirements and controls for the systematic protection of information. Applicable to organizations of any size and industry, it consists of 10 clauses and 114 security controls grouped into 14 sections (Annex A). The Information Security Management System, defined in clauses 4 to 10, allows an organization to maintain its security levels always aligned with the objectives and desired results of the organization (for example, market advantage, reduction of losses due to incidents, operational optimization, etc.), based on a risk management approach.

What is the difference between SOC 2 and ISO 27001?

While SOC 2 refers to a set of audit reports to evidence the level of conformity of the design and operation of information security controls with a set of defined criteria (TSC), ISO 27001 is a standard that establishes the requirements for an Information Security Management System (ISMS), that is, a set of practices to define, implement, operate and improve information security.

SOC 2 vs. ISO 27001: Which one should you choose?

In short, it is not about ISO 27001 vs SOC 2, because SOC 2 is an audit report, while ISO 27001 is a standard for establishing an Information Security Management System. Therefore, SOC 2 can be seen as one of the results that an ISMS ISO 27001 implementation can provide.

The correct way to view the relationship between SOC 2 and ISO 27001 is as follows: Although ISO 27001 certification is not required to create a SOC 2 report, an ISO 27001 ISMS can provide, without additional cost and effort, a solid foundation for preparing this report, while increasing customer confidence that the organization can protect their information and support the achievement of its results and dynamically desired results.