ISO27001 and SOC2 as third-party cybersecurity assessment mechanisms


The cybersecurity rating is widely used, among other situations, as a tool in third-party risk management processes, coexisting with other mechanisms such as ISO27001 certification and SOC2 audits.
And as it is usual for many doubts to arise regarding the use of one or the other, we thought it would be useful to make this post about it. Let's start by defining both mechanisms:
  • ISO27001 is a standard created by the International Organization for Standardization (better known by its acronym in English, ISO) to implement Information Security Management Systems (ISMS) to protect the information assets of organizations. The objective of the standard is to allow the organization to protect three aspects of the information: its confidentiality, integrity and availability.
  • SOC2 are a set of reports resulting from an audit carried out by an independent account auditor. It focuses on the controls that the organization implements in its services / platforms applicable to the protection of the security of its end users. Such a report contains: A management statement, the auditors' report, a summary of the systems, the confidence criteria assessed, and the test matrices.
In summary, we can already see a clear difference: A standard that defines how to implement an ISMS versus criteria aimed at generating trust in services.
Next step: Let's understand the deliverables associated with each of them.
  • ISO27001 Certification - It is obtained after a favorable audit carried out by a certifier (ideally, approved). It is valid for 3 years with annual surveillance audits. Certification means that the organization has a proven framework in place to deliver the "level" of security consistent with management's risk appetite.
  • SOC2 Report - They can be of two types. Type I evaluate the design of the controls, while type II describe the control environment and confirm that, for the period evaluated (normally between 6 months and one year), the implemented controls have been effective.
Therefore, the aforementioned difference is confirmed:
  • ISO27001 certification is what we could consider a false friend. It seems that it certifies the security of a system, but in reality, it certifies the existence of a security management system. That is, the auditor does not give an opinion on whether the established security measures are sufficient or not, or what level of security exists; he only thinks about the existence of a management system.
  • The SOC2 report does give an opinion on the effectiveness of the controls implemented by the audited organization with respect to compliance with the objectives that had been established. In these cases, it is not enough for a provider to have a SOC2 report, you have to read the report, understand the controls and decide if they are sufficient for the use of the service considering its criticality. In other words, two SOC2 reports are not comparable since it depends on the criteria applied by the auditors (and they do not have to be the same - I mean that there may be more permissive and more demanding ones).
In any case, the cybersecurity rating issued by LEET Security gives a result similar to the SOC2 report with the added value that the result is objective on a 5-level scale that allows a very specific understanding of the security level of the service evaluated. in the three dimensions (confidentiality - integrity - availability)... that is why we recommend its use [by the way, perfectly compatible with carrying out a SOC2-Type II audit]
[Entry inspired by RiskCrew's "ISO27001 & SOC2: Apples & Oranges" post]
If you want more information about SOC2 and ISO27001, you can read these other texts:

All you need is LEET

Suscribe to our newsletter here