If you are a B2B company, you likely will be asked to complete a SOC 2 or ISO27001 certification by your customers. If you have never experienced this process before, it can be a daunting proposition. Since it is our mission statement at Tugboat Logic to demystify the complex world of security so you can get on with the business of selling, here is a quick guide on how the two certifications are alike and dissimilar to help you out. The truth is these certifications are “close cousins”, so if you work smart you can leverage the work you do on one certification to complete the other in record fashion.
Similarities: Both SOC 2 and ISO27001 are similar in that they are designed to instill trust with clients that you are protecting their data. If you look at their principals, they each cover important dimensions of securing information, such as confidentiality, integrity and availability. When Tugboat Logic mapped these two certification frameworks to over 150 security controls, it proved they share 96% of the same security controls. The good news you can draw from this comparison is that both frameworks are broadly recognized certifications that prove to clients that you take security seriously. The great news is, if you complete one certification, you are well along the path to completing the other.
Differences: The main difference between SOC 2 and ISO27001 is that SOC 2 is focused mostly on proving the security controls that protect customer data have been implemented, whereas ISO27001 also wants you to prove you have an operational Information Security Management System (ISMS) in place to manage your InfoSec program on an ongoing basis. This adds several controls around proving this management system is in place and regularly reviewed for conformity to the ISO27001 standard. With Tugboat Logic, if you do the SOC 2 certification first, we have already done the work for you to map controls to policies so you essentially get an ISMS for free when you implement the control in the first place.
2. Market Applicability
Similarities: As said above, both of these certifications are very reputable security certifications accepted by clients as proof that you have proper security in place. If you are selling to organizations in the United States, they will likely accept either SOC 2 or ISO27001 as a third-party attestation to your InfoSec program. Both are equally “horizontal” in that they are accepted by most industries, with the exception of the federal government (requires FedRAMP) or healthcare (requires HIPAA).
Differences: The only market difference is that if you are doing business internationally, ISO27001 is more widely accepted by clients in these regions.
3. Who Certifies You
Similarities: Both SOC 2 and ISO27001 are reputable independent, third-party-attested certifications that attest to your level of security as an organization.
Differences: The main difference is a licensed CPA firm attests SOC 2; whereas a recognized ISO27001-accredited registrar certifies ISO27001.
Similarities: These certifications have a similar opex cost in terms of your internal team implementing the security controls and gathering evidence required to prove conformity with SOC 2 or ISO27001.
Differences: While pricing varies widely across the industry and depending on the scope of your certification project, ISO27001 typically costs 50%-60% more than SOC 2. This is likely due to the added burden of documentation required by auditors to prove you have an ISMS in place. One benefit of using a Virtual CISO platform such as Tugboat Logic is that we reduce the cost of creating these documents dramatically with our prebuilt policies and controls that have been mapped to both ISO27001 and SOC 2. It also reduces the time it takes the auditor to complete the audit since the back-and-forth time is greatly reduced.
5. Time to Complete
Similarities: Certification projects are made up of three distinct stages: Gap Assessment/Plan Definition, Implementation/Evidence Collection, and Audit/Certification. Since SOC 2 and ISO27001 share most of the same security controls, the implementation and evidence collection time will be very similar.
Differences: Traditionally, ISO27001 requires about 50%-60% more time to complete than SOC 2. Typically it takes approximately three to six months to complete a SOC 2 Type 1 certification from start to finish depending on how long it takes you to implement all of the security controls, and another three to six months to achieve SOC 2 Type 2. ISO27001 usually takes 12-18 months to complete, again likely due to the additional process and documentation required to install an operating ISMS. Tugboat Logic can help reduce this burden on creating an ISMS with our automated InfoSec program creation platform.
6. Certification Renewals
Similarities: As is customary for most certifications, both SOC 2 and ISO27001 need to be renewed periodically to remain valid.
Differences: Some subtle differences exist. SOC 2 has a point-in-time variant named the Type 1 Report, but most enterprises will request a Type 2 Report as well, which requires you to demonstrate effectiveness of your security controls for a period of time, typically twelve months. Once completed, SOC 2 Type 2 needs to be renewed annually. As for ISO27001, most engagements include a three-year commitment where you have a point in time audit in year one, and renewals each year thereafter.
You’ve Got This!
Whatever certification you decide to do first, the odds are as your business grows you will eventually have to complete both certifications to meet the requirements of your global clientele. The encouraging news is that there are easier, faster and more cost-effective methods to leverage the work you do in one certification to reduce the amount of work you need to do in subsequent certifications. Tugboat Logic’s core mission is to demystify and automate the process of obtaining security certifications so you know exactly what you need to do, and help you expedite completion of that work so you can complete your audit quickly.