ISO 270001 or SOC 2. Which is right for your business? It’s a common question.
ISO 27001 Security Standard
A standard that was developed in 2013 by the International Organization for Standardization and IEC (International Electrotechnical Commission).
What is the purpose of the ISO 27001 framework?
ISO/IEC 27001 is an international standard on how to manage information security. This standard formally specifies an Information Security Management System (ISMS) to be established, maintained, and continuously improved in order to further secure the data they hold. The three stated objectives of the ISO 27001 framework are Confidentiality, Integrity, and availability.
This standard is not an obligation for organizations, however, it does provide a certification process that is more than likely going to increase sales numbers. The ISO 27001 standard is usually applicable to the market outside of North America. Most fortune 500 companies want to know that the companies they are performing business with have a strong cyber security posture and security processes in place.
What are ISO 27001 controls?
That standard currently has 114 controls across 14 different domains. The key difference between an ISO audit and a SOC audit is that companies performing an audit for ISO 270001 must in fact have the processes in place along with performing the said processes across the domains. There is no room for error when undergoing an ISO 27001 certification. The ISO 27001 standard is also less flexible than SOC, as more concrete justification is needed to remove any controls from the scope.
Examining the scope and controls of ISO 27001 in more detail will reveal that the ISO 27001 framework is made up of an ISMS, and what is referred to as Annex A. The ISMS component includes specific processes, policies, and practices that are relevant (and not limited) to the organization from a Leadership, Support, and Operational perspective. These sections will examine and understand the overarching organizational policy and procedures (usually defined in an Information Security policy), as well as to understand how the organization works from a hiring, development, and continual improvement perspective.
When examining the Annex A, there are a total of 14 domains, each relevant to a different organizational aspect. These are:
- Annex A.5: Information Security Policies
- Annex A.6: Organization of Information Security
- Annex A.7: Human Resource Security
- Annex A.8: Asset Management
- Annex A.9: Access Control
- Annex A.10: Cryptography
- Annex A.11: Physical and Environmental Security
- Annex A.12: Operations Security
- Annex A.13: Communications Security
- Annex A.14: System Acquisition, Development, and Maintenance
- Annex A.15: Supplier Relations
- Annex A.16: Information Security Incident Management
- Annex A.17: Information Security Aspects of Business Continuity
- Annex A.18: Compliance
The process for ISO 27001 auditing is a point in time, and forward looking. What this means is that when the actual audit occurs, there will be an evaluation performed of the current controls, processes and procedures at the organization, and will evaluate the organization as at that day and forward looking (for continuous improvement). This differs from SOC 2 – which covers a historical period of time – and as we can see, focuses on establishing where the organization is currently, and how to further improve processes going forward.
Fun fact: It is not a coincidence that Annex A begins at A5. This is due to the fact that the controls of Annex A correspond directly to those in ISO 27002. In ISO 27002 there are some introductory and explanatory sections 1-4, and so the actual controls begin at section 5 (Annex A5).