ISO 27001 vs. SSAE 18 SOC2 for treasurers
Know Your Certifications
Here at BELLIN we’ve been certified for ISO 27001 and have had SSAE attestations for some years now.
It is important to note that ISO 27001 and SSAE 18 are different standards that focus on differing audit criteria. And while a SOC report does cover a lot of the same topics as an ISO 27001 certification, the details of the two standards are quite different.
IT vs. Accountants
At the heart of the difference between these two standards lies the bodies which govern them. ISO 27001 is provided by the International Standards Organization (ISO) and is a certification and information security management system standard for IT systems. SSAE 18 by the American Institute of Certified Public Accountants (AICPA), is explicitly an attestation examination providing audits on controls for financial service systems, performed by licensed, independent CPAs or firms. ISO has an interest in setting security standards while the AICPA is interested in assuring that the methodologies followed are effective.
ISO 27001 – Multi-industry standard
ISO 27001 is a risk-based framework for establishing, implementing, and improving an organization’s ISMS. It is maintained by information security professionals at the ISO and IEC and certified by independent certification bodies. It requires that the organization has a working ISMS and is mitigating risk through the implementation of controls – be it processes, policies, or systems, across departments, personnel, and even industries. It is a complete system for assuring information security, and anyone with this standard has at the very least a solid system for managing their information security.
The ISO 27001 framework defines ISMS policies tailored to the characteristics of the organization with a specific framework for setting objectives and testing effectiveness. Based on this, the organization defines a risk assessment approach; identifies, analyzes and evaluates potential risks; and develops controls to protect against these risks. Finally, the company prepares a statement of applicability which states the controls selected, the reasons for their selection and their implementation.
One should remember that the scope of the ISMS is up to the company, meaning that some parts of the company may be ISO27001 compliant, while others may not be.
SSAE 18 SOC 2 – Accounting standard
SSAE 18 on the other hand, is an attestation from an independent certified public accountant or firm that compares the service organization control (SOC) information against their objectives. Of the SOC reports provided, it is the SOC 2 which has the most in common with ISO27001 (although it is important to remember that SOC 2 is a report and ISO27001 is a certification). It is intended to report on the design (type I) and operation (type II) of the service organizations controls that mitigate risks based on the principles of security, availability, processing integrity, confidentiality, and privacy. However, not all principles must be met. SaaS providers can select the principle(s) that best meet their reporting objectives. There are no clearly defined rules or standards under SSAE 18, and instead, the service organization is left to create their own security control and principles which are tested during the audit.
The auditing itself is another major differentiator for SSAE 18. Unlike ISO 27001, which certifies that the company is meeting the controls and requirements of the standard, an SSAE 18 audit occurs during a selected time frame and tests the effectiveness of its chosen controls in action.
While both ISO 27001 and SSAE 18 (SOC 2) are information security standards, they have major differences in how they are performed. Rooted in the differences between the ISO and the AICPA, the two differ in the fundamental methodologies of their assurances. ISO 27001 is a certification of an ISMS tested against an established framework, while SSAE is an audit of the processes your company puts in place. But you can be assured either way that the company you engage with if they have either an ISO certification or SOC report, is prepared to keep your data safe.