CyberKainos. Reading time: 8 mins

I already have ISO 27001. Why are my customers asking for SOC 2 as well?

You have already gone to considerable effort and cost to demonstrate your commitment to information security, and are operating a proper Information Security Management System. You have covered risk assessments, a Statement of Applicability, management reviews, internal audits, and continual improvement. But now a prospect’s procurement team has asked you to demonstrate your maturity against SOC 2 as well.

This is one of the top five frustrations we hear from clients, and on the face of it the irritation is understandable. The short answer however is the prospect is right. ISO 27001 and SOC 2 are not two versions of the same thing, and holding one does not discharge a request for the other. They answer different questions, for different audiences, in different markets.

The short answer to why customers ask for both

The reasons are practical before they are technical.

SOC 2 is the de facto expectation in North American B2B and SaaS procurement. ISO 27001 is the international and European default. If you are selling into the United States, or to a buyer whose own vendor-risk programme was written there, the request for SOC 2 is often hard-coded into procurement policy, irrespective of what other regulatory compliance accreditations you hold.

There is also a substantive point beneath the practical one. A SOC 2 Type II report evidences how your controls operate over a period of time. An ISO 27001 certificate confirms you have a governed, improving system in place that can help protect you from data breaches. This is a different kind of assurance from a tested opinion on operating effectiveness over, say, the past twelve months. Many buyers want both forms of comfort, and they are entitled to ask.

The technical differences between ISO 27001 and SOC 2

Neither is a legal requirement. ISO 27001 is an international certification. Here, an accredited certification body audits whether your organisation has built and is operating a proper ISMS: risk assessments, a Statement of Applicability, management reviews, internal audits, continual improvement. The structure is standardised and applies consistently, regardless of industry or location. The controls themselves are selected on the basis of your own risk assessment. The output is a certificate, valid for three years with annual surveillance audits, which you may display and reference publicly.

SOC 2 is not a certification. It is an attestation report. A licensed Certified Public Accountant (CPA), working under the AICPA’s attestation standards tests whether your specific controls meet the relevant Trust Services Criteria and gives a formal opinion on them. SOC 2 is narrower and more flexible: you choose which of the five Trust Services Categories apply, with Security mandatory and the remaining four, Availability, Processing Integrity, Confidentiality, and Privacy are optional.

SOC 2 Type I or Type II: A distinction your clients care about

This is often missed, and it is usually the part procurement actually wants to see.

A Type I report tests whether your controls are suitably designed at a single point in time. It is faster to obtain and is a sensible first step.

 A Type II report goes further. It tests whether those controls are operated effectively throughout a defined period, usually three to twelve months. When a customer asks for “SOC 2”, they almost always mean Type II, because operating effectiveness over time is the assurance they are seeking.

 A practical sequence is to achieve Type I first and mature to Type II across the following reporting period.

What you can show publicly and what you cannot

 A SOC 2 report, whether Type I or Type II, is a restricted-use document by design. It is intended for management, customers, prospects, and auditors or regulators. It is normally shared under a non-disclosure agreement (NDA).

If you need something you can publish openly, the equivalent is a SOC 3 report. This is a general-use summary containing the auditor’s opinion and a description of the system, but not the detailed results of control testing. You can use this as a public facing document.

Your ISO 27001 certificate is public. Your SOC 2 report is restricted and shared under NDA. A SOC 3 report is the public-facing summary of your SOC 2 report.

The good news: you have already done most of the work

 By taking your organisation through ISO 27001, you have built the foundation SOC 2 rests on: an information security management system, a documented risk assessment, written policies, and the experience of surviving an external audit.

Direct mappings exist between the ISO 27001 Annex A controls and the Trust Services Criteria, and a substantial proportion of your existing evidence is reusable. Your information security policies, risk assessment and treatment, access control, change management, supplier management, incident response, and logging and monitoring will all carry across with adaptation rather than reinvention.

 We will not insult you with a precise overlap percentage, because the honest figure depends on your scope and the categories you select. What we can say with confidence is this: the heavy lifting, the cultural and governance work which defeats most organisations, is already behind you.

 How CyberKainos bridges the gap

 The work remaining is one of translation and evidence, not of starting over again. CyberKainos maps your existing ISMS against the Trust Services Criteria, identifies the genuine gaps, helps you select the right categories and report type, prepares you for the CPA examination, and manages the engagement through to a clean report.

So…if your customer is asking for SOC 2 and you already hold ISO 27001, don’t panic. You are closer than you think. Speak to us about a scoping conversation, and we will tell you honestly how far the remaining distance runs.