SOC2 vs ISO 27001: What UK Businesses Need to Know About Information Security Compliance

A-LIGN provides valuable insight into audits and the key differences between SOC2 and ISO 27001. A-LIGN is an information security and cybersecurity audit and certification firm doing audits like SOC2 or certifications like ISO 27001. We delve into SOC2’s purpose, audience, core components and significance for UK businesses whilst exploring the differences between SOC2 and ISO 27001.

What is SOC2?

In textbook terms, SOC2 is an internal controls report, applicable for service organisations that do not impact their customers’ financial reporting which, in simple terms, is an internal controls report. Certification bodies such as A-LIGN look at the internal controls of a business, judging whether those controls mitigate a certain risk that is published by a regulatory body. In this case, the CPA. It is a third-party vendor management report that gives customers the assurance that you are meeting a minimum best practice of information security.

SOC2 audits are a service organisation type report most applicable to businesses that are service organisations. For example, software as a service, infrastructure as a service or platform as a service. Technically, if you are providing a service to a business or consumer, you are eligible to a SOC2 audit, but most businesses that undergo SOC2 audits are those in the software or tech industry as they have the highest propensity of impacting information security or data security.

The Five Key Components of SOC2 Compliance

Representation Letter – Management must sign a representation letter to state that everything they are providing to the auditor is true and accurate to the best of their knowledge.
Opinion Letter – An opinion letter is the auditor’s opining to the fact that this business or the scope that has been tested either meets the SOC 2 criteria or does not meet. The opinion letter must be signed by a certified public accountant (CPA). Most of the time, the CPAs are US-based, as it is an American-regulated institution.
System Description – This is a lengthy section detailing what the business does, the scope that was tested and the technical components within the business, e.g. infrastructure, third parties they utilise, high-level information on their information security practice in policies and procedures.
Controls – When reviewing a SOC2 report, you will see listings line by line of what the criteria were as published by the standard, and what specific internal controls the business has in place to mitigate the identified risk. This provides exact details from a control standpoint of what the business that was audited had in place and what the auditors’ findings were.
Response – SOC2 gives management the ability to respond to any findings in the report. If there are any exceptions, known as nonconformities in ISO, management can respond to those findings to let the reader know what action they took after finding the exception.

SOC2 Compliance in the UK: Why Your Business Should Prepare

SOC2 is an American standard because the regulatory body that published, regulates and manages the SOC2 standard is the American Institute of Certified Public Accountants (AICPA). They are based in the US, however, SOC2 is a global standard.

One of the reasons UK businesses should be interested in SOC2 is the fact that the US is one of the largest economies in the world. If you are a software company in the UK and you know that one of your strategic go-to-market strategies is likely going to be selling to the US, then SOC2 is going to be a requirement later on down the line, as most US-based companies are used to receiving SOC2 reports. It can be a barrier to entry if your team is not aware of, or does not currently hold a SOC2.

Most of the UK has ISO 27001 in place, which is the cornerstone of information security in the UK and Europe. In the past few years, we have seen regulated industries within the UK, specifically the central government, putting out different tenders or RFPs that call out SOC 2 as a requirement in combination with ISO or sometimes instead of ISO. If you are working in a regulated industry in the UK, you should be aware that SOC2 could be down the pipeline as a requirement.

SOC2 vs ISO 27001: Key Differences Every Business Should Know

Although there are some similarities with SOC2 and ISO 27001, like the fact that they both address information security and both mitigate security risks. ISO is an information security management system certification and SOC2 is focused on InfoSec. They are both used to ensure correct controls are in place whilst instilling trust to the customer base. The key difference between both, is that ISO 27001 is a certification, SOC2 is not. SOC2 is known as an attestation. Typically, the ISO 27001 certification is around 1-2 pages, whereas SOC2 can be around 100 pages – you get more depth into what was tested, rather than just the fact that it was.

Another thing is that ISO 27001 tends to be very policy-based and management-centric, as it focuses on how management is involved in the information security process, whereas SOC2 tends to be more technical. It does rely on policies and procedures, but it will go into the security configurations you have within your AWS environment.

Who Can Conduct a SOC2 Audit and How to Choose the Right Auditor

The only organisations that can issue an accredited SOC2 report is a certified public accountant. It is recommended for businesses to visit the AICPA’s website, as there is a peer-reviewed search bar to type in a business’s name and find out if they are actually accredited or if they have gone through a peer review to uphold the AICPA’s requirements to be an issuing body of a SOC 2 report. It is extremely important to do your due diligence on the experience of the auditor you choose.

Understandably, the term audit usually fills a company with dread. It leads to stress, worry and chaos, but this shouldn’t be the case – an audit is implemented to help you, to ensure the safe running of a business. A huge positive of a SOC 2 audit is that it isn’t just a technical audit; you receive an extremely detailed overview of what was tested and why, as opposed to just knowing the fact that it has been. Many businesses are currently turning to SOC 2 as they see the value that it brings, as opposed to the worry.

ARMAdmin

Articles: 110

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Tally.so		We use Tally.so to provide embedded forms on our website. When you interact with these forms, Tally.so may collect data and set cookies necessary for form functionality and analytics. For more information, please see Tally.so’s Privacy Policy.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

Cookie	Duration	Description
awpv3911	2 days	Tracks AWIN affiliate links where used.
AWSESS	session	Cookie used by the Awin platform in relation to affiliate links used on this website.
cf_clearance	1 year	Description is currently not available.