If you are a service organization that currently has an ISO 27001-Compliant Information Security Management System (ISMS), bundling it with a SOC 2 report is inexpensive, relatively easy to execute, and produces many benefits for you and your customers.
The purpose of this blog post is to provide some basics on SOC 2 reporting and to offer insight on the benefits of ISO 27001/SOC 2 bundling.
A SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls. Freed Maxick’s SOC 2 Reporting services focus on five Trust Service Principles as defined by the AICPA (American Institute of CPAs): security, availability, processing integrity, confidentiality, and privacy.
Objectives and Outcomes of SOC 2 Reporting:
For Organizations |
For Customers |
|
|
Visit our website for more details on SOC 2 Audits.
Let's take a look at why to bundle a SOC 2 audit with your existing ISMS:
ISO 27001 is an internationally recognized certification and especially popular in Europe, whereas SOC 2 reports are gaining popularity in North America. As businesses are becoming increasingly aware of vendor risk (causing notable cyber events such as the 2020 SolarWinds breach), your organization may find U.S. customers asking for a SOC 2 report. Businesses relying on their vendors’ poor control environments are subject to increased risk of supply chain attacks, failure to meet Service Level Agreements (SLAs), and business disruption.
Your company receives a certificate of compliance for passing the ISO 27001 audit, whereas passing a SOC 2 audit will result in a report that your organization can provide to your customers. A SOC 2 report includes the independent auditor's opinion, management's assertion, a description of the system, and a list of controls audited with the results of testing the design (and operating effectiveness if a Type II report) of those controls.
Your report can also include a list of controls that users of your system should have in place in order for the system to operate as intended, called Complementary User Entity Controls (CUECs). In addition, the optional Section V regarding other information provided by the entity gives your organization the opportunity to boast notable aspects of the control environment that were not included within the audit's scope. Your customers may favor the detail that can be provided in a report over the ISO 27001 certificate.
Your security controls meeting the ISO 27001 framework requirements can also fulfill many of the requirements in the SOC 2 2017 Trust Services Criteria (TSC) for Security, Availability, Processing Integrity, Confidentiality, and Privacy. In fact, the AICPA offers mappings of the 2017 TSC to ISO 27001 on their website which indicate that only six out of 61 SOC 2 criteria could not be mapped to the ISO 27001 framework. While your organization would still undergo a Readiness Review prior to the commencement of the SOC audit to ensure gaps are met, you can expect less remediation work and audit fees by already having these controls in place and operating.
If you are interested in undergoing a SOC 2 attestation by a licensed CPA firm, or if you’re in need of ISO 27001 consulting, our Risk Advisory Services team can work with you. Our expert service auditors will conduct a Readiness Review of your organization's system and map your current security controls to the SOC 2 framework. We can recommend the appropriate type of report (Type I or Type II) and Trust Services Criteria based on your organization's unique needs.
For more information regarding Freed Maxick's risk advisory services, please call 716.847.2651 or contact us here.