Bundling ISO 27001 Compliance with SOC 2 Reporting: How Service Organizations Can Benefit

By Maria Sciarrino, CPA on October 26, 2021
Back to main Blog
Maria Sciarrino, CPA

Staff Accountant | Risk Advisory Services


ISO 27001-Compliant ISMS Plus SOC 2 Equals Better Customer Relations and Greater Prospect Confidence

If you are a service organization that currently has an ISO 27001-Compliant Information Security Management System (ISMS), bundling it with a SOC 2 report is inexpensive, relatively easy to execute, and produces many benefits for you and your customers.

The purpose of this blog post is to provide some basics on SOC 2 reporting and to offer insight on the benefits of ISO 27001/SOC 2 bundling.

What is a SOC 2 Report?

SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls. Freed Maxick’s SOC 2 Reporting services focus on five Trust Service Principles as defined by the AICPA (American Institute of CPAs): security, availability, processing integrity, confidentiality, and privacy.

Objectives and Outcomes of SOC 2 Reporting:

For Organizations

For Customers

  • Demonstrate commitments to internal controls
  • Meet contractual obligations and/or regulatory requirements
  • Maintain trusting business relationships with customers, business partners, and suppliers
  • Gain confidence in your vendor’s control environment
  • Understand how to mitigate risks associated with outsourcing services

Visit our website for more details on SOC 2 Audits.

We’re Already ISO 27001 Certified …. Why Should My Organization Undergo a SOC 2 Audit?

Let's take a look at why to bundle a SOC 2 audit with your existing ISMS:

  • Enhanced Marketability - Your organization has a large U.S. market or is seeking to gain an advantage in the U.S. market.

ISO 27001 is an internationally recognized certification and especially popular in Europe, whereas SOC 2 reports are gaining popularity in North America. As businesses are becoming increasingly aware of vendor risk (causing notable cyber events such as the 2020 SolarWinds breach), your organization may find U.S. customers asking for a SOC 2 report. Businesses relying on their vendors’ poor control environments are subject to increased risk of supply chain attacks, failure to meet Service Level Agreements (SLAs), and business disruption.

  • Customer Confidence and Strengthened Relations - Give your customers a report to review.

Your company receives a certificate of compliance for passing the ISO 27001 audit, whereas passing a SOC 2 audit will result in a report that your organization can provide to your customers. A SOC 2 report includes the independent auditor's opinion, management's assertion, a description of the system, and a list of controls audited with the results of testing the design (and operating effectiveness if a Type II report) of those controls.

Your report can also include a list of controls that users of your system should have in place in order for the system to operate as intended, called Complementary User Entity Controls (CUECs). In addition, the optional Section V regarding other information provided by the entity gives your organization the opportunity to boast notable aspects of the control environment that were not included within the audit's scope. Your customers may favor the detail that can be provided in a report over the ISO 27001 certificate.

  • Lower SOC 2 Audit Costs - The cost of undergoing a SOC 2 audit is reduced by already having an ISO 27001 certified ISMS in place.

Your security controls meeting the ISO 27001 framework requirements can also fulfill many of the requirements in the SOC 2 2017 Trust Services Criteria (TSC) for Security, Availability, Processing Integrity, Confidentiality, and Privacy.  In fact, the AICPA offers mappings of the 2017 TSC to ISO 27001 on their website which indicate that only six out of 61 SOC 2 criteria could not be mapped to the ISO 27001 framework. While your organization would still undergo a Readiness Review prior to the commencement of the SOC audit to ensure gaps are met, you can expect less remediation work and audit fees by already having these controls in place and operating.

Connect with a Freed Maxick Risk Advisory Consultant

If you are interested in undergoing a SOC 2 attestation by a licensed CPA firm, or if you’re in need of ISO 27001 consulting, our Risk Advisory Services team can work with you. Our expert service auditors will conduct a Readiness Review of your organization's system and map your current security controls to the SOC 2 framework. We can recommend the appropriate type of report (Type I or Type II) and Trust Services Criteria based on your organization's unique needs.

For more information regarding Freed Maxick's risk advisory services, please call 716.847.2651 or contact us here.

New call-to-action

Stay up to date