Workstreet now supports ISO 42001 compliance → Learn more
July 7, 2024

Extending SOC2 to ISO 27001

Modern companies and startups move at the speed of trust. SOC 2 and ISO 27001 are two widely recognized standards for reporting security and trust. In this post, we highlight the steps to extend your SOC 2 to ISO 27001.
Written by:
Travis Good
Header image

Modern companies and startups move at the speed of trust. Building and maintaining trust starts with effective security and compliance and, increasingly, security and compliance that meets industry standards. SOC 2 and ISO 27001 are two widely recognized compliance frameworks that help companies ensure the security and privacy of their data (and their customers data).

Many companies, especially in the US, start with SOC 2 compliance as a foundation for their security program. SOC 2 is a report based on the Trust Services Criteria (TSC), which is a set of principles for managing information security risks. SOC 2 focuses on five TSC principles: security, availability, processing integrity, confidentiality, and privacy. Companies that successfully pass a SOC 2 audit can demonstrate that they have implemented controls that meet these principles.

However, some companies may want to extend their compliance program beyond SOC 2 to include ISO 27001. ISO 27001 is a globally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information so that it remains secure. ISO 27001 requires companies to perform an internal audit to assess the effectiveness of their ISMS.

Benefits of Extending SOC 2 to ISO 27001

Extending SOC 2 compliance to ISO 27001 provides several benefits for companies. First, ISO 27001 requires a risk assessment approach, which helps organizations identify potential security risks and develop strategies to mitigate them. This can result in a more comprehensive security program that addresses not just the five TSC principles but also other critical areas of information security.

Second, by aligning with the global standard that is ISO 27001, companies can demonstrate their commitment to best practices in information security management in a more global landscape. This can be especially important for companies that operate globally or have clients who require adherence to specific standards.

Third, extending SOC 2 compliance to ISO 27001 can help companies streamline their compliance efforts. Since both frameworks share some commonalities in terms of controls and processes, companies may be able to leverage their existing SOC 2 controls as a foundation for meeting ISO 27001 requirements.

Improving Reputation and Competitiveness

Extending a company's compliance program beyond SOC 2 to include ISO 27001 can also have positive effects on the company's reputation and competitiveness. By achieving compliance with both frameworks, companies can demonstrate their commitment to information security best practices and their dedication to protecting sensitive data.

This demonstrated commitment builds trust with customers, partners, and stakeholders who may be hesitant to work with a company that does not prioritize information security. In addition, demonstrating compliance with two widely recognized frameworks can give companies a competitive edge over others in their industry who only comply with one framework.

Furthermore, some customers and partners may require adherence to specific standards such as ISO 27001. By extending compliance efforts beyond SOC 2, companies can increase their ability to win new business and partnerships by meeting these requirements.

Understand the differences between SOC 2 and ISO 27001

SOC 2 and ISO 27001 are two popular information security frameworks that organizations use to demonstrate their commitment to securing sensitive data. While both frameworks share some similarities, there are also key differences between them. Here are some of the main differences to consider:

  • Scope: One of the biggest differences between SOC 2 and ISO 27001 is their scope. SOC 2 is designed specifically for service providers that store customer data in the cloud, while ISO 27001 applies to any type of organization that handles sensitive information, regardless of whether it's stored in the cloud or on-premises.
  • Audience: Another key difference between SOC 2 and ISO 27001 is their intended audience. SOC 2 reports are typically provided to customers and other stakeholders who need assurance that a service provider's systems are secure. ISO 27001, on the other hand, is widely recognized as a global standard for information security management, and is often used by organizations to demonstrate their compliance with legal and regulatory requirements.
  • Certification vs. Attestation: SOC 2 and ISO 27001 also differ in terms of how they are assessed. SOC 2 is an attestation report that is issued by an independent auditor, while ISO 27001 is a certification that is issued by an accredited certification body.
  • Control Framework: While both frameworks have similar control frameworks, there are some differences in the specific controls required. For example, SOC 2 requires controls related to availability, processing integrity, confidentiality, and privacy, while ISO 27001 requires controls related to risk assessment, asset management, access control, and business continuity.

While both SOC 2 and ISO 27001 are valuable frameworks for managing information security risks, organizations should carefully consider their specific needs and requirements before choosing which one to pursue.

Extending SOC 2 to ISO 27001

The below steps will guide you through the process of extending your infosec program from SOC 2 to ISO 27001.

Ensure you have Resources

Before engaging an auditor or starting down the path to ISO 27001, assess your organization's current resources and capabilities to ensure you have the necessary expertise and bandwidth to carry out the ISO 27001 implementation. This includes evaluating your internal team's knowledge of the standard, as well as identifying any external consultants or tools that may be needed to support the process.

Hire an Auditor

Choosing and engaging an auditing firm early in your ISO 27001 journey will help with timing, cost, and success. An auditing firm will ensure you know what to expect when it comes time to do the actual audit and get your ISO 27001 certification. If the auditor also did you SOC 2 audit, they often can give you tips and advice based on your current infosec posture.

Perform a gap analysis

Once a company understands the requirements of ISO 27001, it should perform a gap analysis to identify areas where its current compliance program falls short. This analysis can help the company determine what additional controls it needs to implement to meet the ISO 27001 standard. If the companies already has SOC 2 and that SOC was properly scoped, the majority of gaps should be the additional requirements in ISO 27001 that do not exist in SOC 2.

Implement additional controls

Based on the results of the gap analysis, the company should implement additional controls to meet the ISO 27001 standard. For example, it may need to develop a risk assessment methodology, implement access controls, or develop an incident response plan.

Below are some of the most common gaps we see for companies extending from SOC 2 to ISO 27001:

  • Internal Audit. One of the biggest practical differences between SOC 2 and ISO 27001 is that ISO 27001 requires an internal audit function while SOC 2 does not. This means policies and procedures for internal audit as well as resources dedicated to performing them.
  • Roles in policies. As opposed to SOC 2, ISO requires roles and responsibilities to be defined in many of your infosec policies.
  • Details in policies. ISO, in general, requires an additional level of detail in your policies to ensure they are crystal clear on steps to perform certain procedures as well as ownership of procedures and assets.
  • Data labeling. ISO requires that you label data and include this as part of your data classification policy.

Perform an internal audit

One of the biggest differences between SOC 2 and ISO is that ISO 27001 requires an internal audit function. This doesn’t mean just doing an internal audit (see below 👇), but ensuring the role is defined and accountable on an ongoing basis for the functions of  internal audit.

After implementing additional controls and creating an internal audit function, the company should perform an internal audit to assess the effectiveness of its ISMS. The audit should cover all aspects of the ISMS, including policies, procedures, and controls. This is essentially an audit but is performed with an internal resource; the internal audit resource can be a fractional vCISO (this is something we offer at Workstreet). Companies can use automated tools such as Vanta to simplify the internal audit process.

Pursue ISO 27001 certification

Once the internal audit is complete and any issues are addressed, the company can pursue ISO 27001 certification. This requires an external audit by an accredited certification body. The audit will verify that the company's ISMS meets the requirements of the ISO 27001 standard. If you selected and engaged an external auditor early on (see above 👆), this is usually a smoother process at the end.

How long does take?

We tell customers to budget 9-12 months for expanding their infosec programs from SOC 2 to a fully completed ISO 27001 audit and certification.  While we’ve worked with customers that have accomplished this in 6 months, that is not typical. In order to expedite, companies need to have resources at the ready to make some of the required policy and technology changes that ISO 27001 requires and SOC 2 does not.

Workstreet can extend your SOC 2 to ISO 27001

Extending a compliance program from SOC 2 to ISO 27001 requires careful planning and execution. However, startups and other organizations that handle sensitive data can benefit from the additional security controls that ISO 27001 provides. By following these steps and leveraging tools like Vanta, companies can successfully extend their compliance program to meet the ISO 27001 standard.

At Workstreet, we’ve worked with companies moving beyond SOC 2 to ISO 27001. We can serve as your internal auditor, do your gap assessment, change your policies to align with ISO, help you choose an auditor, and navigate the audit process from start to certification. Reach out today to talk to us and see if there’s a fit.