I’ve previously discussed SOC 2 and its governance in the Bredemarket blog, and I encountered SOC 2 again in a Wednesday webinar from Drata and Armanino, “Ask an Auditor: SOC 2 & ISO 27001 Tips, Tricks, and Pitfalls to Avoid.”
Armanino is the auditor, while Drata is an automation platform that assists companies in measuring conformance to SOC 2, ISO/IEC 27001, and other standards.
The webinar was in the form of an Ask Me Anything session, so naturally a comparison of SOC 2 and ISO/IEC 27001 came up.
As I previously mentioned, the SOC suite was developed by the Association of International Certified Professional Accountants. ISO standards are published by the International Organization for Standardization.
And ISO/IEC 27001 provides an actual certification, unlike SOC 2 which is an atteatation (or iBeta PAD testing, which indicates conformance).
So what is ISO/IEC 27001?
“ISO/IEC 27001 is the world’s best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
“The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system….
“ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience andoperational excellence.”
Bredemarket 