If you’re looking to stand out from your competitors, you’ll need to prove your value when it comes to cybersecurity. One way of doing so is to earn some kind of certification to prove that your company takes data privacy and security seriously. ISO 27001 and the SOC 2 are two highly-rated security certificates you should consider. They’re both important to help you and your company raise its cyber security protocols and procedures. Having one of these certificates will also prove to your customers that their data is secure in your hands. That said, choosing between the two certificates is a challenge in itself.
In this article, I’ll help you understand the differences between ISO 27001 and SOC 2 certification. I’ll also show you the process to get each certificate and detail the pros and cons of each one. Let’s first explore what ISO 27001 is, the process to get it, and its pros and cons.
ISO 27001: All You Need to Know
ISO 27001 is an international standard set forth by the International Organization for Standardization, which is recognized in 167 countries worldwide. These certificates are some of the highest level certificates your company can achieve. ISO 27001 looks at how you secure your information and doesn’t get into the technical aspects of IT.
You’ll need this certificate to validate that your company’s information assets are secure. Information assets is a general term that includes everything and anything that can store information from papers and filing cabinets to word files, hard drives, networks, and servers. Having this certification will also set you apart from your competition. It distinguishes you as having a high regard for data and information security.
Now, I’ll get into the control groups and criteria that ISO 27001 will measure your company against.
ISO 27001’s 14 Control Groups
ISO 27001 will test your company against 14 control groups and sub-categories. You should prove you have appropriate measures and enforce them correctly for all the 14 groups to receive the certification.
- A.5: Information security policies
- A.6: Organization of information security
- A.7: Human resource security
- A.8: Asset management
- A.9: Access control
- A.10: Cryptography
- A.11: Physical and environmental security
- A.12: Operations security
- A.13: Communications security
- A.14: System acquisition, development, and maintenance
- A.15: Supplier relationships
- A.16: Information security incident management
- A.17: Information security aspects of business continuity management
- A.18: Compliance; with internal requirements, like policies, and laws
Next, let’s look into the process of how to get certified.
Certification Process and Timeline ISO 27001
The certification process takse 6-12 months for a small to medium-sized company. This certification is valid for 3 years. To get the certification, your company will go through 4 stages as you can see in the following table.
|Company Readiness||6-10 months||In this stage, your company need to prepare the documentation and get ready. It also needs to follow the controls.|
|Audit 1: Documentation||1 day||After your company’s ready to apply for the certificate, auditors inspect your documentation.|
|Audit 2: Certification||6-10 days||If you pass the first audit, the auditors will make a site visit. They’ll monitor your team to decide if they’re following controls.|
|Remediation||1 day to 6 months||Based on the audits, the auditors will request changes. Applying these changes may take you a few days to several months, depending on the changes you need to make.|
Certification Costs for ISO 27001
The costs of the ISO 27001 certification depends mainly on the number of days it’ll take the auditor to conduct an audit at your company. The auditor’s daily rates differ between one and another. That said, it’ll approximately cost you between $800 and $1600 per day. This means $1200 on average.
Keep in mind, the number of days the auditors need to spend onsite will also directly depend on the number of employees in your company. The certification will cost around 5000$ for a small company with a few employees. Conversely, it’ll cost around 25,000$ for a large company with more than 1,000 employees to get the certification. This is naturally due to the additional time the auditor will have to spend onsite..
To review, let’s look at the pros and cons of the ISO 27001.
Pros & Cons of ISO 27001
Below are the pros and cons of getting an ISO 27001 certificate.
- Enhancement of your company’s competitive edge
- Reduction in losses due to security incidents
- Reduction of fines due to legal or contractual non-conformity
- Improvement of internal organization
- Recognition internationally
- Improvement of customer and business partner relations
- 3-year certificate validity with ongoing maintenance
- Extra cost due to the extra work and having auditors onsite
- Personal resistance from some people in the company since they may consider the certification a waste of resources
- Loss of productivity since your employees will have to reduce their workload to participate in the preparation, the audits, and then the ongoing maintenance
In the next section, I’ll go over SOC 2 and the important things you’ll need to know about it.
SOC 2: All You Need to Know
SOC 2, short for Service Organization Control 2, is a voluntary compliance standard for service companies. It issues guidelines on how companies should handle customer data. This certification will distinguish your company with one of the highest degrees of data and information security within the United States. Additionally, it’s also widely used in North America. The American Institute of Certified Professional Accountants (AICPA) formed these standards. You can design SOC 2 to the unique needs of your company. The certification also doesn’t follow a rigid form for assessing companies.
In this certification, you’ll have 5 main trust services criteria your company needs to achieve. I’ll list them for you below.
The 5 SOC 2 Trust Services Criteria
SOC 2 has 5 trust services criteria to check your company against. The SOC 2 also doesn’t dictate a course of action for each point. It’s up to the company then to select how they want to tackle each of these 5 points.
- Security. Ensures your company protects information and systems against unauthorized access and disclosure of information and damage to information systems.
- Availability. Validates that information and systems are available for operation and used to meet the user’s objectives.
- Processing integrity. Confirms system processing is valid, accurate, complete, authorized, and timely to meet your objectives.
- Confidentiality. Ensures your company protects information designated as confidential to meet the user’s objectives.
- Privacy. Checks that your company collects, uses, retains, discloses, and dispose personal information to meet the user’s objectives.
After understanding the trust services, I’ll go through the certification process for SOC 2.
Certification and Process for SOC 2
The certification process for SOC 2 is similar to ISO 27001. Refer to the above table for more detailed information. Unlike the ISO 27001, the SOC 2 certificate is only valid for 1 year, though. To keep the certification active, you’ll need to reapply each year. A quick overview of the process will also require your company to get ready. This will be the hardest and longest phase of the certification process.
The time requirements vary based on how large your company is. Keep in mind the larger your company, the more time it’ll take, and also, like ISO 27001, the more it’ll cost. Back to the SOC 2 process, after your company is ready, the auditors will come in and start reviewing the documentation. If you they find any errors or discrepancies, then you’ll need a remediation period that can last from 1 day up to 6 months.
After fixing all issues, the auditors will remain onsite for 2-3 weeks to finalize your company’s certification. How long this process takes also depends on the size of your company. The amount of time to get a certification plays an important part in the total cost you’ll pay. Let’s check out the costs for the SOC 2 certification next.
Certification Costs for SOC2
The certification costs for SOC2 are on par with ISO 27001. They might be a little cheaper for smaller companies. The prices can range from $5,000 USD up to $80,000. You can even pay a higher bill depending on the size of your company and the complexity of the infrastructure.
An advantage of SOC 2, though, is that you can choose who does your audit. You may hire an accounting/auditing firm to do your certification and this is an opportunity to save some money. In this case, you’ve got 3 tiers from which you can generally hire an accounting/auditing firm. I’ll get to them next.
Accounting/Auditing Firms Tier Levels
An accounting/ auditing firm can help you complete the auditing process for the SOC2 certification. That said, these firms fall into 3 main tier levels.
1. The Big 4
These are the firms that everyone knows and loves to work with: Deloitte, Ernst & Young, KPMG, or PricewaterhouseCoopers. They’re international and have offices around the world. They’re also known for quality and professionalism. That said, the downside is the sky-high fee to use their services.
2. Mid-Tier and Boutique
These accounting firms are smaller than the big 4, so they maintain a lower cost and risk of brand damage. Their fees are more moderate and they also pride themselves on their work. That’s because reputation is very important in this industry.
3. Cybersecurity CPA Firms
Short and to the point, cybersecurity firms understand the business of accounting. If you combine that with their knowledge of IT domains and information security, they’e a surefire shot. They also have a laser focus on SOC 2 and technology.
Last, let’s take a look at the pros and cons of SOC 2.
Pros & Cons of SOC 2
Below are the pros and cons of getting an SOC 2 certification.
- Focuses on cyber security and IT technology
- Is flexible to meet the unique needs of your company
- Allows you to choose your own auditor
- Has high recurring costs
- Requires annual recertification
- Isn’t internationally accepted
- Causes loss of productivity
After covering both certifications, let me compare and contrast between them below.
Key Differences & Similarities of ISO27001 vs SOC 2
In the following table, you can see the differences and similarities between the two standards.
ISO 27001 and SOC2 Comparison
|ISO 27001||SOC 2|
|Definition||A standard that establishes requirements for an Information Security Management System.||A Set of Audit reports to substantiate the level of conformity to a set of defined criteria.|
|Geographical Applicability||It’s international, and favored outside of North America.||It’s usually in the United States, and used in North America.|
|Applicability by Industry||Companies of any size or industry can use it.||You can apply it to service companies from any industry. (most commonly used by tech-based service organizations)|
|Compliance||It’s a certificate issued by the ISO Certification body.||It’s an attestation by a licensed Certified Public Accountant (CPA),|
|What is it for?||It defines, implements, operates, controls, and improves the overall security.||It helps to prove security levels against static principles and criteria.|
|Validity||3 Years||1 Year|
Now that you have a good understanding of both certifications and how they differ, let me help you set your mind up on one of them.
ISO 27001 vs SOC 2: Which One Should I Go For?
If your company deals in data, IT tech, or cloud services, you should consider getting one of the two certificates: ISO 27001 and SOC 2. You’ll want to consider your geographic location and your customers’ locations as well. North America tends to favor SOC 2 over ISO 27001. That’s why if you’re located in this region, SOC 2 might be a better option.
While the associated costs are high, the costs of not having a certification might deter potential customers. You can always make a few calls to various auditing firms and get some ballpark quotes. Keep in mind, if you want to maintain certification, you’ll need to pay each year for SOC 2 and tri-annually for ISO 27001.
You’ll also need to allocate your employees’s time to participate in audits each year. If you’ll spend around the same amount of money for both, then it might make more sense to go with the ISO 27001. That’s because it’s an international standard and it only needs to be recertified every 3 years, instead of every year.
The security criteria for both are very much the same, so it might be a good idea to look at costs over the long term. That way you’ll see which one might be the best fit for you.
Choosing to get certified and then deciding on which certificate to get isn’t an easy decision. The 2 certifications being similar also doesn’t make the process any easier. That said, both ISO 27001 and SOC 2 are essential certificates to have. It’s only up to your company which one you choose to pursue.
You’ll mainly have to decide which process and timeframe suits your company better. You also should consider the costs of each certificate. I hope this article with its comparisons and contrasts gave you some food for thought and helped guide your decision-making process further.
Are you still scratching your head with more questions? Check out the FAQ and Resources sections below.
How long are the ISO 27001 and SOC 2 certificates valid for?
The validity term is different for both. ISO 27001 is valid for 3 years after getting the certification but requires continuous maintenance to keep it up. In other words, in the interim year you’ll be audited again to ensure you adhere to the standards. Before the third year comes to an end, you’ll need to reschedule an audit to get recertified. SOC 2 is valid only for one year and requires an audit to renew the certificate each year.
Is one of the certifications more tech-focused than the other?
Yes, the SOC 2 was created with tech in mind. The requirements are less rigid than the ISO 27001 but flexible for your company to choose the best solutions to meet its needs. ISO 27001 looks at information assets, which can be anything that holds information. It doesn’t look at IT infrastructure and technology specifically.
Are these certifications required?
No, they’re not required but rather voluntary. While no governing body requires your company to be certified, it does help the appearance and reputation of your company to have a certification. If you’re working with sensitive data or working with clients’ sensitive data, a certification can also go a long way in showing you’re dependable and secure.
How much do these certificates cost?
The price for both certificates varies based on how large your company is. It also depends on how much IT infrastructure you’ve got and how complex that setup is. On a sliding scale, the ISO 27001 might cost anywhere between $5,000 to $25,000 and you’re certified by a team of auditors from the ISO. The SOC 2 can cost anywhere between $5,000 to $80,000 depending again on the size of your company and infrastructure. Another factor to consider is the kind of auditor you hire to do the audit.
How does a company get started to prepare?
Generally, you can first read the documentation for the certificate you want to take to prepare. You’ll then start implementing it in the workplace. This is the longest phase and could require capital expenditures to get on track. The other option is to hire a consulting company that’ll come in and hit the ground running. It’ll also reduce the time to get the certification but will cost you extra to render those services.
TechGenix: Article on What is ISO 27001
Learn more about ISO 27001 and the process to get certified.
TechGenix: Article on ISO 27001’s Impact on Your Company (Part 2)
Check out what having ISO 27001 can do for your company here.
TechGenix: Guide on ISO 27001 Certification
Discover all the details that go into getting ISO 27001 certified.
TechGenix: Article on 6 Tips to Strengthen Your IT Security Team
Check out these great tips to get better at security and prepare for security audits.
TechGenix: Article on Creating Winning Cyber Security Teams
Check out these tips on how to build great cyber security teams.