Additional SOC 2 resources

Mapping common criteria for SOC 2 and ISO 27001 compliance

You’ve probably heard this maxim at one time or another: “Work smart, not hard.”  If your company has already achieved a SOC 2 report or an ISO 27001 certification, you’re likely well on your way to obtaining the other. If you haven’t earned either, there are a ton of benefits to achieving both in one fell swoop.

You can “work smart” by strategically taking advantage of common criteria for compliance, or overlapping requirements, so you don’t have to spend additional resources earning your next security standard. In this article, we’ll take a quick tour of SOC 2 and ISO 27001, why it’s a good idea to pursue both, and why it’s smart to take advantage of common criteria mapping to save time and money.

What is SOC 2 and who needs it?

Known as the gold standard of US compliance frameworks, SOC 2 is a set of criteria that assesses a company’s security procedures and protocols. Created by the American Institute of CPAs (AICPA), SOC 2 reports assure potential vendors and partners that you’ve established strong security guidelines. It signifies a commitment to data security and constant risk management.

SOC 2 is not legally required — it is an attestation report typically generated by a third-party auditor. Although it is not a requirement, US-based businesses that wish to gain new channels of revenue will, at some point, be asked to prove their security by prospective clients.

What is ISO 27001 and who needs it?

ISO 27001 is a security framework created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 is an international security standard unlike SOC 2 which is only relevant to US entities.

The purpose of ISO 27001 is to help organizations preserve the confidentiality, integrity, and availability of all data and information. This requires an Information Security Management System (ISMS) that can monitor and protect a company’s people, processes, and technology.

Just like SOC 2, obtaining an ISO 27001 certification shows that your organization is trustworthy and can prove its security practices. ISO 27001 is not a legal requirement. It’s a certification that international clients and business partners are likely to request before making a deal. Once an audit is conducted by a licensed third-party, an ISO certification may be awarded.

Should your company pursue SOC 2 and ISO 27001?

Just because SOC 2 and ISO 27001 have similar goals and requirements, does that mean your company should pursue both? The short answer is: it depends. If your company has no interest in becoming an international organization, a SOC 2 is likely the best option.

In contrast, if your company is outside the US and has no plans to enter the North American market, ISO 27001 is likely sufficient. Companies that seek international growth and revenue will gain many benefits from obtaining both standards.

Achieving ISO 27001 and SOC 2 compliance serves as a strong market differentiator between you and the competition. When a prospective client is weighing their options, providing proof of both standards can tip the scales in your favor.

What is common criteria mapping for compliance?

If SOC 2 and ISO 27001 are in your company’s future, you’re in luck because both of their frameworks have a lot in common. Many requirements, controls, and criteria overlap which means that there’s a strong chance you won’t have to double your efforts. By strategically and simultaneously fulfilling criteria for each standard, you can streamline the compliance process. This is known as common criteria mapping.

So how much overlap is there? Because every company is subject to a specific set of criteria and controls there’s no definitive answer. However, AICPA’s mapping spreadsheet demonstrates that the vast majority of SOC 2 and ISO controls overlap.

SOC 2 is composed of specific controls housed within five governing principles known as the Trust Services Criteria.

  • Security
  • Availability
  • Confidentiality
  • Privacy
  • Processing Integrity

ISO 27001 consists of controls that exist within 10 "clauses" which cover the security responsibilities of an organization.

  • Scope
  • Normative references
  • Terms and definitions
  • Context
  • Leadership
  • Planning and risk management
  • Support
  • Operations
  • Performance evaluation
  • Improvement

What are the benefits of common criteria mapping?

If you’ve obtained a SOC 2 report or an ISO certification, you’re in a good position to build on top of what’s already established. And if you have yet to earn either standard, it makes a lot of sense to tackle them simultaneously. Here are a few reasons why.:

Save time and resources: By strategically fulfilling criteria for SOC 2 and ISO 27001, you’re essentially getting a two-for-one deal. Frontloading your efforts in this manner is cost effective and resource efficient.  

Expand your information security program quickly: Achieving SOC 2 and ISO in one fell swoop gives your security program a significant boost. For fast-growing companies, this level of progress is priceless.  

Build a cohesive internal security structure: Accomplishing multiple compliance goals at the same time gives you the ability to document, maintain, and improve your security holistically. This ensures you never have to deconstruct a siloed security environment.

Streamline your compliance goals with Vanta

SOC 2 and ISO 27001 contain specific criteria and controls, however; organizations do not need to adhere to all of them. So how do you know which ones to follow? By working with a trusted compliance partner like Vanta, you can receive expert consultation on how to move forward.

Vanta’s automated compliance platform continuously monitors your security posture. It provides detailed information about the status of all your standards, and when you make progress on one, you’ll know exactly where you stand with all the others.

Explore more SOC 2 articles

Get compliant and
build trust, fast.