Considering ISO 27001 certification? Wondering about SOC 2 attestation? Trying to figure out the differences between the two?
We have you covered.
We invited Dan Schroeder, Partner-in-Charge for Information Assurance Services at Aprio LLP, onto The Virtual CISO Podcast to explain attestation, certification, ISO 27001, and SOC 2.
What we talked about:
- What is attestation?
- ISO 27001 certification v. SOC 2 attestation
- Which does my company need: ISO 27001 or SOC 2… or both?
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here. If you don’t use Apple Podcasts, you can find all our episodes here.
Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator (00:06):
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:26):
Hey there and welcome to another episode of the Virtual CISO Podcast, as always, I’m your host John Verry and with me as always, the Watson to my Sherlock Holmes, Mistress Jeremy Sporn. Hi Jeremy.
Jeremy Sporn (00:37):
Hello, Detective Holmes, hello everyone. Good to be here.
John Verry (00:41):
So what’d you think of the conversation I had with Dan?
Jeremy Sporn (00:44):
I thought it was extremely interesting and I am a doctor, Doctor Watson so my perspective should be taken in the highest regard, let’s be clear.
John Verry (00:53):
And that’s about the only way I’m ever going to take you seriously. But anyway.
Jeremy Sporn (00:57):
Anything I can do to win man. But anyway, all right. It feels like the discussion around Iso 27001 or SOC 2 or both is just growing. We hear from our clients, our potential clients, we read about it on the internet. It’s a topic that just seems to come up more and more these days, especially if you’re a business based in the US. What’s clear to me right aways is even amongst the most seasoned information security experts, there’s just differing perspectives. This means I have an extremely simple way. You call it a SOC 2 report, he calls it an SSC 2 report.
John Verry (01:31):
And I’m right by the way.
Jeremy Sporn (01:33):
The fact that you think that is not surprising. You call is ISO he calls it ISO, just a very, very simple way to show us that information security is still more art and science and that there are differing perspectives amongst very seasoned professionals.
John Verry (01:50):
Yeah it was an interesting conversation and I do think that he coming from an Hay ICPA SOC 2 background, me coming from a ISO 27001 background, you know I think you can see the roots of that in the ways that we approach our opinions on both, although we’re both proponents of both. You know I think you can kind of see where we came from, where we grew up.
Jeremy Sporn (02:10):
Is this a nature versus nurture argument you’re going into right now John?
John Verry (02:14):
Yeah ISO is in my genetics, what can I say?
Jeremy Sporn (02:17):
Oh that’s right all right, cool.
John Verry (02:19):
Anything else you want to cover before we jump to the show?
Jeremy Sporn (02:23):
Let’s talk about Dan for a sec. He is the partner in charge at Information Assurance Services at Aprio LLP despite the fact that he immediately comes across as a very smart dude, he’s an easy guy to like and John this might sound a little weird to you, but you know how when people first meet you, they’re a little put off by your ego, but then once they get to know you they realize you’re a good guy. You know, Dan, he’s very different. He’s just easy to like right out of the gate.
John Verry (02:48):
So basically you like him better than you like me. All right. On that bombshell, thank you Jeremy Clarkson. Let’s get to the show. All right Dan, let’s start easy. Tell me a little bit about yourself and a little bit about Aprio.
Dan Schroeder (03:05):
So I’m a partner in charge of the service we call information assurances for Aprio LLP.
John Verry (03:12):
Sounds familiar.
Dan Schroeder (03:13):
Yep, based out of Atlanta, Georgia. Work around the country, do a lot of work and I go back many years from my time up in the Northeast so, you know, lately these services, ISO, PCI, QSA related, all the AICPA stuff, just pretty much anything that there’s a information risk related that involves potentially an assessment or an attestation, we do that.
John Verry (03:40):
You’re particular is specifically information security and of course the border CPA from you and the same thing from financial.
Dan Schroeder (03:48):
All the financial attacks. MNA, a lot of other services, Cloud Mechanic Services, et cetera et cetera so, Aprio, fairly big firm, work around the world, around the nation. One of the top 40, 50 CPA firms and also a traditional sort of stuff about emerging stuff, a lot of innovation, line botching, international attacks, MNA. That sort of thing. But information assurance API Report, I started with Aprio about 10 years ago. I started this line of business for them. Didn’t have that.
John Verry (04:22):
Mm-hmm (affirmative)
Dan Schroeder (04:22):
I was with a larger firm in the New York metro area for almost 10 years and started something similar, sort of a precursor to what we do today.
John Verry (04:31):
Mm-hmm (affirmative)
Dan Schroeder (04:32):
And had the opportunity to go down there and start this up and hook up with the rest of my family that’s down there [inaudible 00:04:37] so did that and made it happen.
John Verry (04:39):
And when you say down there obviously you’re referring to the Hotland area.
Dan Schroeder (04:43):
Hotland although that’s a euphemism used in other parts. I don’t think anybody in Atlanta says that.
John Verry (04:48):
So you can tell I’m not from Atlanta from the fact that I said that?
Dan Schroeder (04:51):
I can tell you’re not from Atlanta when you say Hotland.
John Verry (04:55):
And I guess you mentioned that you were active in fintech, I guess with Atlanta being arguably the center of fintech, I guess that’s probably a good spot to be in, right?
Dan Schroeder (05:05):
It is, and so that’s been a great jumping off point because you know, the fintech companies, and you say talk about the information security, but there’s certainly security from the perspective of protecting data but also about the triate, CIA type of thing. And then privacy has become very relevant as well. And so all of these fintech type of companies, data companies, marketing companies, et cetera et cetera. All the compliance issues, the issues of, with respect to just making sure that they’re able to convey assurance and be trustworthy and that’s the business that we’re in.
John Verry (05:41):
Okay that sounds good. Before we get too far into it, I always like to ask, just to kind of personalize the conversation, what’s your drink of choice? That can be anything from kombucha through you name it.
Dan Schroeder (05:55):
Well I do like to kombucha, I’m not a bourbon guy but this is growing on me.
John Verry (05:57):
Not a bourbon guy but yet you’re drinking one of my better bottles, it was just a Christmas present.
Dan Schroeder (06:01):
[crosstalk 00:06:01] Maybe I’m not [crosstalk 00:06:04] be a bourbon guy.
John Verry (06:04):
Well you can think of us when you leave here, you’re not having anymore if you’re not a bourbon guy.
Dan Schroeder (06:09):
Exactly. You know I don’t know, I guess I jumped on the mescal train the past year. I like that smokiness of that you know? Sometimes sour, too sour, I don’t like the sour, I don’t like the sweet. I like that smokiness, I think that can be appealing.
John Verry (06:25):
So I’m going to point you to a restaurant that I ate in over Christmas a between, in Grand Cayman.
Dan Schroeder (06:30):
Mmmm
John Verry (06:30):
And they actually brought a guy up from Mexico, was their mescal master.
Dan Schroeder (06:35):
Oh wow.
John Verry (06:35):
And he comes to the table and he explains to you the selection of mescals they have and the drinks they make and I had a wonderful drink.
Dan Schroeder (06:41):
Oh wow.
John Verry (06:45):
[crosstalk 00:06:45] So we’re here to talk about, your a CPA firm and a registrar and a QSA right? And those are all access [inaudible 00:06:52] and really that’s what the conversation is today. Just talking a little bit about two of the most common form of attestation ISO 27001 and SOC 2.,
Dan Schroeder (06:58):
Mm-hmm (affirmative)
John Verry (06:58):
So before we start on that, we’ve got, people get this term, third party attestation and second part attestation. And of course the best is third party attestation. Let’s just kind of frame, from your perspective, define attestation.
Dan Schroeder (07:11):
Well to me attestation is a term that is a formal term that is defined by really by the AICPA, they’re are attestation standards.
John Verry (07:22):
Mm-hmm (affirmative)
Dan Schroeder (07:24):
There’s an array of attestation standards that in the past year has caused some confusion on the marketplace because a lot of the attestations standards got rolled up under this thing called SSA 18.
John Verry (07:37):
Mm-hmm (affirmative)
Dan Schroeder (07:37):
Before there was SSA 16 but there were other SSAs.
John Verry (07:39):
Mm-hmm (affirmative)
Dan Schroeder (07:41):
And then there became SSA 18, what was SSA 16 got rolled underneath of that as well as other forms of attestation that can be specific to operation and compliance matters which SOC 2 pertains to and other more general examination attestation. So you can do, and we do this, agree upon procedures so there’s a form of attestation.
John Verry (08:02):
Right.
Dan Schroeder (08:03):
And as far as we’re concerned, we can do attestation over pretty much anything but it really just comes down to having a concept called suitable criteria. 7
John Verry (08:13):
Mm-hmm (affirmative)
Dan Schroeder (08:14):
Where management makes an assertion over top of some suitable criteria and in the information security space, that could be the likes of any of the [inaudible 00:08:22] standards.
John Verry (08:23):
Right.
Dan Schroeder (08:23):
Aspects of PSI, PSI, high trust for example, you name it. Banking standards and we can execute some form of an attestation that sits over top of those various criteria where management makes an assertion that they’re following those, they’re adhering those and may be about the deployment or it may be about operational effect in this and then it pertains to a scope. We get those things from management, we can execute procedures and tests to see that management is really conveyed that their assertion that they’re conveying with respect to following that is fairly presented.
John Verry (09:00):
Right, so I’m going to simplify a little bit right because a lot of the people are not quite as [inaudible 00:09:04] knowledgeable as you are. So from my perspective, attestation is somebody saying they’re doing something right?
Dan Schroeder (09:11):
That’s right.
John Verry (09:12):
And the first part is, that’s you answering a questionnaire. I send you a questionnaire that says tell me your security practices, you fill it out and send it back to me. My first part attestation. It’s better than no attestation but not super reliable right?
Dan Schroeder (09:24):
Right.
John Verry (09:25):
Then there’s the second part of attestation which is I might send a questionnaire and I might come out naughty right so I’m doing my [inaudible 00:09:31] validation right? And then third party which is kind of the gold standard.
Dan Schroeder (09:34):
Right.
John Verry (09:35):
Which ISO 27000 or SOC 2 fall into is somebody like yourself, a registrar or a CPA firm when it comes out, conducts and audit and then attests on my behalf. Like hey, you can trust that John said he’s doing what he’s doing from an information security perspective because I said so and I did the test.
Dan Schroeder (09:50):
And we followed professional standards and when I do that sort of thing, we’re subject to peer review and quality standards and so you know literally we’ve got skin in the game to make sure that that report that we put out is done properly.
John Verry (10:02):
Right.
Dan Schroeder (10:04):
But for sure when a company makes a thing, we would call that an assurance.
John Verry (10:08):
Yep.
Dan Schroeder (10:08):
The company says we’ve seen that and we’ve suggested in some cases that’s an appropriate form of assurance to follow. Make some conveyance and give them some reports some write paper, some whatever else that says we’re doing these sorts of things. In some cases, that may be enough of assurance if it goes beyond that, it may be an onsite audit.
John Verry (10:27):
Right.
Dan Schroeder (10:27):
What you called a second party attestation.
John Verry (10:30):
Yeah, right.
Dan Schroeder (10:31):
Or ultimately an independent, professional [crosstalk 00:10:37]
John Verry (10:37):
That’s the third party. Today really what I want to chat about with you is third party attestation. Right? Because I think that’s the gold standard of what we do. A lot of the conversations that I have with clients are around which third party attestation should I get?
Dan Schroeder (10:47):
Right.
John Verry (10:47):
So we have this, and I think that you’d agree with me I think, that the two major attestations that most people would consider, or would be consider would be ISO 27001 and SOC 2. With respect to security.
Dan Schroeder (10:58):
Yep.
John Verry (10:59):
With information security to be very specific.
Dan Schroeder (11:00):
Right.
John Verry (11:01):
Okay, cool. So from your perspective, give me a quick explanation of either, or both of the actually for someone who might be a little less familiar with them.
Dan Schroeder (11:10):
Okay so let’s start with SOC 2. That’s the AICPA protocol or standard that exists with respect to security and then it can branch out beyond security and we’ll talk about that. But that is really a report that sits over top of a management assertion over top of criteria again, right?
John Verry (11:31):
Mm-hmm (affirmative)
Dan Schroeder (11:31):
In our world as we’re doing attestation, we’re doing some definable set of criteria and in this case, for an SOC 2 report, there really is a complete set of criteria that represents a) this report description, and if you’ve ever seen and SOC 2 report, there is a narrative that tells you the story of [crosstalk 00:11:51] well yeah but it also says [crosstalk 00:11:53] here’s the company, here’s the service that we’re representing and here’s a little bit about how that service works and here’s a summary of the controls and then within all that, there’s more of the body of the report. You’ll see a table and you’ll see a detailed description of a bunch of requirements that are known as criteria.
John Verry (12:12):
Mm-hmm (affirmative)
Dan Schroeder (12:13):
And associated controls and tested those controls.
John Verry (12:15):
Mm-hmm (affirmative)
Dan Schroeder (12:16):
So those are in the AICPA part, those are known as trust services criteria.
John Verry (12:20):
Mm-hmm (affirmative)
Dan Schroeder (12:22):
And so, I guess the real distinguishing features of an SOC report is a) this requirement to pout forth this narrative or this so called system description and that can be a big deal. And there’s pros and cons associated with that.
John Verry (12:37):
Mm-hmm (affirmative)
Dan Schroeder (12:37):
We’ve got those that can range from 15 pages to we’ve had those be well over 100 pages.
John Verry (12:43):
Right.
Dan Schroeder (12:43):
Because of a complexity of the business. And then secondarily, what’s going to be different is with respect to these criteria which are called trust services criteria, the company actually have to document control statements, right?
John Verry (12:56):
Mm-hmm (affirmative)
Dan Schroeder (12:58):
Tell us how you go about provisioning access for new users and tell us, make a control statement with respect to deep provisioning and authentication or whatever else that it might be. So there’s a lot of words involved in this, so there’s a lot of wordsmithing to get that right. That’s an SOC 2 report puts together all these controls with respect to the context of the system description, people like us do attestation procedures to say that the words that they, the story that they told with respect to this system and how it’s presented and what it does and the associated controls, we execute testing to say is that fairly presented?
John Verry (13:34):
Right.
Dan Schroeder (13:34):
Is this accurate for the date and time that’s represented or for the period in time, right, that is represented. And [inaudible 00:13:41] an SOC 2 recall.
John Verry (13:42):
So let’s pause there for a second. Again I’m trying to simplify this down. So SOC 2 you can download of the AICPA website, these trust services criteria. I think these are called the trust services principles, correct?
Dan Schroeder (13:54):
Trust services principles and criteria.
John Verry (13:56):
And criteria.
Dan Schroeder (13:56):
That’s correct.
John Verry (13:56):
Okay so you can download this thing. And really it’s an Excel spreadsheet and you can say exactly the criteria that you with the audit are going to that part of the criteria that you’re going to be holding them to, correct?
Dan Schroeder (14:06):
Correct.
John Verry (14:06):
You’re going to go through that. And then you’ll report explicitly on each control whether or not they met or didn’t meet by [inaudible 00:14:12] any non-conformities or whatever the term you want to use right, that’s going to explain whether they fully met that criteria, correct?
Dan Schroeder (14:19):
Exceptions, yes. Correct.
John Verry (14:21):
No exceptions, no [crosstalk 00:14:22].
Dan Schroeder (14:21):
And the nuance, and one of the really difficult aspects of and SOC 2 report, so there’s a criteria that says you should be doing something. And then the responsibility of the organization that is having the report prepared for them, has to make a right one or more control statements that describe how they fulfill that particular requirement. Our first responsibility is to express and opinion as to whether the controls they put forward actually fulfill the requirement.
John Verry (14:49):
Mm-hmm (affirmative)
Dan Schroeder (14:50):
So if it’s about logical access and they don’t have an effective control with respect to authenticating remote and privileged users that probably would not be a suitable control.
John Verry (15:05):
Right.
Dan Schroeder (15:05):
That would be an exception.
John Verry (15:06):
Right.
Dan Schroeder (15:07):
Or conversely they could say, we have this mechanism in place for remote access where we do 2FA and we go to check to see whether that’s in place and we don’t find it, that would be an exception. Okay?
John Verry (15:20):
So real quick there, so what we’re talking about is in a SOC 2 attestation or a SOC 2 review, you’re looking at the design of the controls to see if the design aligns with what they trust [inaudible 00:15:32] criteria require. And then you’re also looking at the operation and doing that observation period of the audit. Correct?
Dan Schroeder (15:37):
This is three words probably. Design, deployment and operational effectiveness if it’s over a period of time.
John Verry (15:45):
Cool.
Dan Schroeder (15:45):
Okay.
John Verry (15:45):
So I think that’s a great summary of SOC 2. So let’s talk about ISO. How would you summarize ISO?
Dan Schroeder (15:53):
ISO, a different set of criteria presented by way of ISO 27001 standard that is supported and embellished by 27002 and 27003. And speaks in many respects to similar criteria that are represented by the AICPA. SOC 2 trust services criteria.
John Verry (16:17):
Mm-hmm (affirmative)
Dan Schroeder (16:18):
But in terms of understandability, in terms of logical relationships, in terms of information security, you’d have to say that ISO is along with NISTA is the gold standard.
John Verry (16:29):
Mm-hmm (affirmative)
Dan Schroeder (16:30):
You know, long standing, tremendous organization, international recognition. Just presented at a different level and the associated guidance I think that’s embedded in the likes of 27002, 27003 can make it very useful. And we’re going to come back and hopefully we’ll talk about how 27001 can make your SOC 2 report better.
John Verry (16:52):
Right, and they’re definitely not, it’s not, we’ll get to that. It’s not a one or the other, they’re both great standards. So one of the things from my perspective and you’re a COA by nature.
Dan Schroeder (17:05):
Correct.
John Verry (17:05):
And I’m an ISO 27000 [inaudible 00:17:07] auditor so I’ll probably defend my standard a little bit more, you’ll probably defend yours more, but they’re both great standards. With ISO, the one thing which I look at which I think is a little bit different, I wonder if you’d agree with me. ISO has the concept of both the management system which is really that overarching governance process. And a question of controls. In ISO they call that annex A, they call that ISO 27002.
Dan Schroeder (17:31):
Right.
John Verry (17:31):
Right, which to me is highly analogous in terms of the controls of the trust services criteria. And we cover most of the same ground, wouldn’t you say?
Dan Schroeder (17:39):
We do, we do actually. And even the way that ISO presents between the management system. The ISMS structure that sits on top of the operational controls, annex A. When it comes to the audit, listen, we take the totality of what’s represented by that. I think it does map well to SOC 2.
John Verry (18:02):
Mm-hmm (affirmative)
Dan Schroeder (18:04):
It’s just different ways of looking at that.
John Verry (18:07):
Mm-hmm (affirmative)
Dan Schroeder (18:08):
It’s interesting that ISO, when it comes to the auditing, ISO is different because ISO says, as you know John, ISO says when we go do a certification that there’s two stages that do that certification.
John Verry (18:21):
Mm-hmm (affirmative)
Dan Schroeder (18:21):
The first stage is about the ISMS or the overarching management system criteria.
John Verry (18:28):
Mm-hmm (affirmative)
Dan Schroeder (18:29):
And so the ISO standard which is, I think it’s great in terms of what the requirement that it puts forth for people like ourselves that are actually conducting the certification, certification bodies. In terms of how it is as a certification body. You can’t go and do an actual test for the operational controls until the organization has actually passed mustard on the management system controls.
John Verry (18:53):
Mm-hmm (affirmative)
Dan Schroeder (18:53):
And I didn’t really understand the logic behind it but I’ve come to understand or infer that the idea behind all of that is to say that it doesn’t matter if the company’s doing change in SM management or authentication or whatever else it is effectively. If the actual, the people that are steering the ship, that are at the helm aren’t doing the right sorts of things.
John Verry (19:12):
Right.
Dan Schroeder (19:13):
Because all the operational stuff will be unsustainable or ultimately become ineffective.
John Verry (19:19):
Right.
Dan Schroeder (19:19):
So ISO and we think it’s a beautiful way to do this, says let’s make sure that the management system that the direction is in place of leadership, the responsibility, the risk management strategy or risk treatment approach and approach for monitoring, you’ve got all that buttoned up. Rules and responsibility, accountability. And then we’ll talk about the specifics operational.
John Verry (19:38):
Right.
Dan Schroeder (19:39):
And those are delineated in stage one and stage two.
John Verry (19:42):
Mm-hmm (affirmative)
Dan Schroeder (19:44):
Before you go into stage two you have to have addressed any significant non-conformities that came out of stage one. And after stage two covers all the operation controls of which I think there’s 114 thereabouts.
John Verry (19:56):
114 [inaudible 00:19:57].
Dan Schroeder (19:57):
Before you can get your certification, you have to address any significant non-conformities that came out of that. And once you do that, you’re going to get your certification.
John Verry (20:05):
Right.
Dan Schroeder (20:06):
Now to compare it back to SOC 2 where we said in SOC 2 its design, deployment and operational effectiveness are viewed in terms of interpretation of how the ISO standard is not necessarily about operational effectiveness. So we look at stage one and stage two and many respects as being akin to what SOC 2 a type one audit. So where a type one audit is really about design and deployment, we think that’s what stage one and stage two is about.
John Verry (20:35):
Mm-hmm (affirmative). Yeah so it’s interesting. I look at things a little bit differently but I think more the same than different.
Dan Schroeder (20:41):
Mm-hmm (affirmative)
John Verry (20:43):
I agree with you completely in regards to stage one where ISO is a little bit different I think is the structure of the standard changed I think the structure and the auditor’s approach. So from the structure, the standard perspective, I agree with you. You can’t move to the looking at the annex A controls the actual implementation of controls until you know that the management system works. And the reason why is that the idea of the management system is that it rationalizes the implementation of the controls, right? Information security control is a mechanism that reduce risk. Until we know that you’ve got a risk management framework that’s effectively operating, that’s properly staffed, properly resourced, properly considered, why should I look at the controls? Because it’s the idea of don’t climb the ladder until you know it’s against the right wall.
Dan Schroeder (21:25):
Right.
John Verry (21:26):
So to me that’s kind of the idea behind that. Where it’s interesting where I always get into an interesting conversation with SOC 2 auditors is that it’s interesting to me that I don’t think of ISO as being as much point in time as I think most SOC 2 auditors do. Because if you think about it, we’re looking at the evidence that we can look for during annex A.
Dan Schroeder (21:45):
Right.
John Verry (21:45):
Okay, it usually expands over the course of a whole year and we’ve got it done an internal audit ahead of time. Where I think that you’re right in a way, is the way I look at it, and I might be wrong here, is that I look at SOC 2 as being a much more robust audit, right? And that’s why they cost more, SOC 2 audits do. Because you guys are really doing, I think a much deeper dive. It’s more a test of many than a test of one. 7
Dan Schroeder (22:10):
Mm-hmm (affirmative)
John Verry (22:10):
And I think the idea behind that is that in ISO we’ve got a management system so we audit the management system and then we just sample the controls because we’re trusting the management system. Because there’s less of an overarching management system into the SOC 2 standard, the way I look at it is you do a much more significant sampling so I think you get a better sense of truly if the controls are actually operating effectively over an extended period of time. Would you agree, disagree?
Dan Schroeder (22:40):
I think I generally agree with that.
John Verry (22:43):
Right.
Dan Schroeder (22:43):
But let me say this, when you look at the management system requirements that underlie ISO, that they’re really highlighted our outlined in 27001 and in and of itself, those were good.
John Verry (22:59):
Mm-hmm (affirmative)
Dan Schroeder (23:00):
I think what’s really serious about an information security management system, I would really suggest that they acquire and leverage the 27003 document.
John Verry (23:08):
Mm-hmm (affirmative)
Dan Schroeder (23:08):
And the 27003 document, some 52 pages and provides a lot of narrative and a lot of terrific guidance with respect to what it means to have the management system to fulfill the various aspects of the what ISO calls the management system from the organization and the rolls and responsibilities, the accountability, the needs to have risk management objectives, what a risk assessment process looks like, how you link that to risk treatment. These are all really fantastic things that I think, and I agree with you that ISO plays this, ISO places, historically ISO places more emphasis on the ISMS.
John Verry (23:52):
Right.
Dan Schroeder (23:53):
And the direction. And are we leaning up against the right wall. But I would disagree with any notion that SOC shouldn’t be doing the same thing.
John Verry (24:01):
Oh agree completely. And we should, to be honest with you, I agree with you completely. We should do more robust audits of the annex A controls. One of my arguments against ISO, and I love ISO, is we do a crappy job. I actually don’t think that the audits are as robust as they should be. And I can’t wait to have another one of these interviews with some good folks in the ISO space and say why aren’t we holding people’s feet to the fire a little bit more than we are. So that’s where I love SOC 2 is that I think if you really want to drill in [inaudible 00:24:28] are we operating the way I think we are?
Dan Schroeder (24:28):
Yeah.
John Verry (24:29):
I think that SOC 2 attestation tells you that more. In fact we’re starting with some interesting stuff from people who want SOC 2 level investigation but their ISO certified is using a different audit standard. [inaudible 00:24:50] the ISO surveillance, like CIS, CSC, top 20 controls.
Dan Schroeder (24:55):
Right.
John Verry (24:55):
To kind of force somebody to drill in there.
Dan Schroeder (24:57):
Right.
John Verry (24:57):
So I agree with you. So getting back to this idea of, I think we’re both in agreement, they’re both great standards. I don’t think you can go wrong with either standard.
Dan Schroeder (25:06):
I just want to elaborate a little bit on the notion the relationships, the parallel in SOC 2 to what ISO has as the ISMS.
John Verry (25:14):
Mm-hmm (affirmative)
Dan Schroeder (25:15):
So if you look at the words around leadership and organization and planning and deployment things that are within ISO, there are parallels that are within SOC 2.
John Verry (25:26):
Mm-hmm (affirmative)
Dan Schroeder (25:27):
I don’t think that they are nearly as clearly articulated as, especially when you leverage the ISO 27003 and you get much more clarity. So I think the intent is there and SOC 2 is represented the governance aspect of SOC 2 is represented, this was derived from COSO.
John Verry (25:49):
So just out of curiosity, are you referring to, like I know in 270017 they changed the framework, more COSO aligned.
Dan Schroeder (25:56):
That’s right.
John Verry (25:57):
At the end of 27018 [crosstalk 00:26:02] and from your perspective you’re saying that’s where we start to layer in more of those management system concepts.
Dan Schroeder (26:07):
There’s not reason not to.
John Verry (26:08):
Right.
Dan Schroeder (26:09):
So our view has been for a long time that SOC 2, you get these criteria and then with this new iteration of the trust services criteria that became formally required as of December 15, 2018 and after, there was these criteria and there’s some 61 criteria that are further defined by 299 or 300 points of focus.
John Verry (26:36):
Right.
Dan Schroeder (26:37):
The words when you get in there, I will submit to you that practitioners, AICPA SOC 2 practitioners that look at these day in and day out sometimes come back and say, mmm, I was thinking that’s what it meant last week but I think it might be different this week. And there are experts that work with this and we do this five or six days a week. And after working with this for a year or so, we still have debates about what they mean.
John Verry (26:59):
Yeah.
Dan Schroeder (26:59):
And that’s unfortunate. So I would suggest, my opinion is they could be much more clear.
John Verry (27:06):
Mm-hmm (affirmative)
Dan Schroeder (27:08):
And the structure is fantastic, I think there’s a lot of parallels again to ISO. The clarity that’s represented by ISO we think can make your SOC 2, can provide so much more insight in terms of it says do some things around [inaudible 00:27:24] it says establish roles and responsibilities. Let’s leverage other things. There’s a lot of depth for sure within the COSO ERM if you want to go leverage that 300 page document.
John Verry (27:33):
Right.
Dan Schroeder (27:34):
But we’ve tried to do that and I think there’s some goodness there. But again, from a succinctness and from a perspective of being succinct and being clear and being so solid, again, 27003, 27002 for the operational guidance in terms of looking at those from the high level perspective of what SOC 2 says argues that that’s the way to make your SOC 2 report a really strong report.
John Verry (28:04):
Mm-hmm (affirmative)
Dan Schroeder (28:04):
And by the way, when you’ve done that, that’s it, you’re done. You’ve essentially fulfilled ISO as well.
John Verry (28:09):
Right. So I think we agree that the combination in both of us have worked with clients who have both ISO and SOC 2 and I think because of the elegant ness of the different systems and the pros and cons of each, when you combine them together, I think you’re right. Those are the most secure and best environments I’ve seen. But if you’re a guy, let’s take a step back, if you’re sitting, and you and I recently both called on the same client independent of each other and then had a conversation about it. And the question was 27001, SOC 2 [inaudible 00:28:40] right? If I’m sitting there and I’m saying hey I’m a SAS or I’m technology service firm or I’m a law firm, I need something to give to my clients to prove I’m secure. Dan, which one should I give them? How do you start that conversation with them and help them go down that path making all the [crosstalk 00:28:56]
Dan Schroeder (28:56):
Well I can highlight conversations I’ve had with that company and with other companies and it really comes back to saying what are you looking to achieve?
John Verry (29:04):
Mm-hmm (affirmative)
Dan Schroeder (29:05):
Who are your customers? What do you they need from you?
John Verry (29:08):
Right. I think that’s the most important thing. What are you being asked for? Because at the end of the day you’re doing this for your clients in most cases.
Dan Schroeder (29:14):
In most cases but then there also is the other question, what do you want to get out of it in terms of your own operational risk management? What do you want to get out of your own operational risk management, what is it that you need to be able to convey externally for assurance purposes?
John Verry (29:28):
Mm-hmm (affirmative)
Dan Schroeder (29:29):
Is it a logo or two on your website, and your marking material. Is it it for example, is it, will a logo that leads to a certification, will a ISO certification suffice.
John Verry (29:41):
Mm-hmm (affirmative)
Dan Schroeder (29:41):
Because maybe you have more of an international event or maybe there’s a nature of your clients that says we just have to have ISO and they don’t mention SOC 2, then ISO is probably the way to go. If in this company’s case, in the one that we were talking about in terms of the overlap, they also have, they work with, they support some of their clients in the financial services sector.
John Verry (30:01):
Mm-hmm (affirmative)
Dan Schroeder (30:01):
And those clients in the financial services sector, they want to do onsite audits.
John Verry (30:07):
Mm-hmm (affirmative)
Dan Schroeder (30:08):
And they want to look at a lot of details. And they’re already giving them very detailed surveys and questionnaires and all that. And they’re looking at this and saying, if we have an SOC 2 report and we present all those details, having those details is what is going to be necessary to really reduce if not hopefully eliminate, but if not eliminate, reduce the burden associated with these onsite audits.
John Verry (30:31):
Right.
Dan Schroeder (30:31):
These onsite surveys.
John Verry (30:32):
Right.
Dan Schroeder (30:32):
So it could be some combination of both of those.
John Verry (30:35):
Right. I agree completely. I think it’s mostly a matter of what is going to be the right path for you and your particular client base. Because I think we both can agree that at least in my experience, there’s more than a 90% chance if someone asks you for a SOC 2 report and you hand them an ISO report or certificate, they’re going to accept it. And vice versa. If somebody says hey I would like an ISO certificate and you hand then a SOC 2 type two service orders report, I think in both cases there’s broad acceptability of both. I don’t think you can go too wrong with either report. I think you’re going to satisfy the vast majority of clients.
Dan Schroeder (31:12):
I agree with that John. One thing that I probably should mention is that, and maybe you’ve heard of it or some of the listeners have heard of this as well is this thing called and SOC 3 report.
John Verry (31:18):
Mm-hmm (affirmative)
Dan Schroeder (31:18):
Right so sometimes they’re like what’s an SOC 3 report.
John Verry (31:21):
It’s one more than an SOC 2 report.
Dan Schroeder (31:27):
Well I guess if you’re [inaudible 00:31:31] it is but actually it’s a lot less from a content perspective. From a content perspective, I think the idea behind an SOC 3 report is that SOC 2 report because of what we talked about before with this robust system description that tells a lot about your business, it might have data blows.
John Verry (31:49):
Mm-hmm (affirmative)
Dan Schroeder (31:50):
And it might tell a little bit about how you’re doing, what it is you’re doing. And it might describe some significant aspects of what you’re doing for controls. That is a report that is by definition what we call in our profession a restricted distribution report.
John Verry (32:03):
Mm-hmm (affirmative) You’re referring to the SOC 3.
Dan Schroeder (32:06):
So the SOC 2 is restricted to the [crosstalk 00:32:08]
John Verry (32:08):
I apologize, SOC 2.
Dan Schroeder (32:09):
The SOC 2 is restricted distribution, a SOC 3 is intended to break the gap and say we can derive from SOC 2 and have much more high level type information that can then serve the general public or general marketing needs.
John Verry (32:23):
Gotcha.
Dan Schroeder (32:24):
So you’d have no such restrictions, we have clients that have SOC 3 reports that actually put that up on their website.
John Verry (32:30):
Right. [crosstalk 00:32:32] it’s funny how each of the different frameworks, people find ways to make them more like each other. So you’ve got people like, one of the pros of a SOC 2 type two service [inaudible 00:32:43] report is the level of detail. One of the cons is the level of detail if you’ve got things that went wrong. So we’ve got people that are saying like oh I don’t want to get SOC but then they get SOC 3 so there’s less detail. Then you’ve got ISO, one of the pros of ISO is it’s just a certificate, one of the cons of ISO, it’s just a certificate. So now we’ve got people who have a SOC 2, or ISO certificate and they’re saying how can I create a more robust report? Right? So we’re doing things like doing an SCA as part of the ISO internal audit. And they’re handed the SCA, SCA is standardized control assessment that’s through the [inaudible 00:33:16] assessment program.
Dan Schroeder (33:16):
Mm-hmm (affirmative)
John Verry (33:17):
So it is really interesting that I think there’s pros and cons to both frameworks and we often find ourselves addending each of them a little bit. So this speaks of, if you’re good, I think we’ve done a good job of giving someone a pretty good flavor, both great, both have pros and cons, at the end of the day, either one’s going to be good, just find the one that’s best for you is going to be talking to someone like yourself.
Dan Schroeder (33:41):
Right.
John Verry (33:41):
Or someone like myself to help them figure that out, right?
Dan Schroeder (33:43):
Right, right.
John Verry (33:44):
So talking about extensions, one of the things I like about both frameworks is that you can do more than just meets the eye with them. With ISO as an example, because you said ISO 27000 is a family. There are a number of add ons to the family that can help you do a better job of managing cloud risk. Or I love the new framework 27701 which helps you convert your information security management system to a privacy management system. So talk a little about your experience with using ISO or SOC 2 and some of these extensions that people might need to use to provide attestation of other specific areas of information security or promising.
Dan Schroeder (34:26):
You know I think they’re both, there are similarities in both of those fields as well, right?
John Verry (34:30):
Mm-hmm (affirmative)
Dan Schroeder (34:31):
So with ISO and the extensions of, I think you’re referring to 27017 27018.
John Verry (34:37):
Yep.
Dan Schroeder (34:38):
[crosstalk 00:34:38] And now 27701 which will have a separate, that will be a sort of independently certifiable.
John Verry (34:44):
A certifiable extension is the term I think I’m hearing the most.
Dan Schroeder (34:47):
Okay.
John Verry (34:48):
Is that right? I ask you because you’re the [crosstalk 00:34:51]
Dan Schroeder (34:50):
No listen…
John Verry (34:51):
I’m a dumb consultant.
Dan Schroeder (34:53):
We’re in the queue to be in the first wave of an organization qualified to do that.
John Verry (34:56):
Okay cool.
Dan Schroeder (34:57):
And so I think I call it an extension because it is a certifiable standard but our qualifications will extend from being certified to do 27000.
John Verry (35:06):
Plus you need 27001 to become 27701 so I guess that can kind of technically an extension.
Dan Schroeder (35:13):
Correct. Correct. And maybe that’s what makes it the extension. Okay that’s a great way to put that. Even before the 27701 and the privacy extension that’s represented by that there was always a thing about GDPR, we get all these GDPR privacy requirements and when you look at GDPR for example and you look at the underpinnings of what’s required for information security that’s presented in the GDPR standard, it looks a lot like ISO.
John Verry (35:41):
Mm-hmm (affirmative)
Dan Schroeder (35:43):
But then there’s data privacy requirements that were in GDPR. Our view was always that those data privacy requirements that were in GDPR could be addressed by annex A clause 18.4, might be 18.2 but 18 dot something or other.
John Verry (35:58):
Right.
Dan Schroeder (35:59):
That all the specific data privacy requirements you could address them by the way [crosstalk 00:36:04] you could tuck them into that.
John Verry (36:07):
Right.
Dan Schroeder (36:07):
And you could essentially have a defacto GDPR certification standard.
John Verry (36:15):
Mm-hmm (affirmative)
Dan Schroeder (36:16):
Because the foundation of GDPR or any privacy program for that matter is security of course.
John Verry (36:19):
Right.
Dan Schroeder (36:21):
But in this case they’ve carved it out, they’ve done it as something different which is fine. The same thing with the cloud security, the data security from the 27017 and 27018, those are all very, from an SOC 2 perspective, we have the SOC 2, I don’t know if we talked about John, there’s the additional categories. So much of SOC 2 gets talked about as the so called security category that includes all this governance stuff that we talked about.
John Verry (36:47):
Right.
Dan Schroeder (36:48):
So then the SOC 2 has the fundamental requirement of any SOC, the minimum requirements, you have to do all the calming criteria which all the governance type of requirements which are parallel to the ISMS and then the security and then in addition to that you can choose to do confidentiality, processing integrity, privacy and or availability. Any of the other four categories.
John Verry (37:09):
Yeah it’s funny, just out of curiosity, when somebody asks me they want a SOC 2 type 2, I always think of security and availability. It seems like most people end up combining those two because it doesn’t cost much more, it’s not much additional effort because there’s a lot of common criteria across the two. And I always think of the other three as being more the options. Just because I see so many people do security and availability.
Dan Schroeder (37:29):
Maybe a SAS organization right? [crosstalk 00:37:33] if you’re rendering a SAS, you know, SAS isn’t available, it’s not much good. So that’s kind of a fundamental requirement for SAS. So maybe that’s why you see that [crosstalk 00:37:41]
John Verry (37:40):
Gotcha.
Dan Schroeder (37:41):
So yeah that’s really common for that. If there’s something, if it’s a black box and there’s some complicated calculation that goes in there and there’s really no way to know, there needs to be some understanding of what’s coming out on the other end. And then processing integrity makes sense. Totally.
John Verry (37:58):
Now privacy, just out of curiosity, have you, and I haven’t. Have you look at SOC 2 privacy versus 27701 privacy.
Dan Schroeder (38:09):
Not in detail.
John Verry (38:09):
I haven’t either.
Dan Schroeder (38:10):
Not in detail yet but I [crosstalk 00:38:14]
John Verry (38:13):
Just for the record, we’re recording this after 27701 is effectively been in effect for about three months.
Dan Schroeder (38:19):
Yeah. The privacy principles or privacy category represented by the AICPA is, there’s fundamental structure around privacy. Notice, choice, consent, onward transfer, quality, some of a lot of these basic fundamentals. And then particularly, and these are things that go back 15, 20, 25 years.
John Verry (38:44):
From received the GDPR [crosstalk 00:38:45]
Dan Schroeder (38:44):
OECD international standards and so those are sort of time proven, fundamental constructs that are around security. GDPR, CCPA now introduces a lot of nuances associated with right to be forgotten and the whole data subject [crosstalk 00:39:02] so for those there’s a lot of these individual nuances. And going back an to SOC 2 world, any of those additional requirements that are out there, whatever it might be. Right to be forgotten, or incident response timeframe et cetera et cetera, those call all be incorporated into criteria. It can be added as suitable criteria in your SOC 2 report. So going back to one of the beauties of the attestation structure that is, from which an SOC 2 sits underneath [inaudible 00:39:37] you can add an infinite array or a number of considerations with respects to suitable criteria to address whatever the subject matter is.
John Verry (39:46):
Right.
Dan Schroeder (39:46):
And as long as when you’re bringing things in it’s not just what you and I thought up when we were having a drink one evening while we [crosstalk 00:39:53]
John Verry (39:53):
What’s wrong with that?
Dan Schroeder (39:54):
For you it might be good enough but if we’re going to hand it out to Wells Fargo or Allstate insurance, they might look [inaudible 00:40:03] at that so we should probably lean more towards involving what would be suitable criteria. And suitable criteria is certainly put forward by CCPA or GDPR or other standards such as that. That represents, without getting too detailed, that would fulfill the requirements of what would constitute suitable criteria. And it all can get tucked under and SOC 2 report.
John Verry (40:20):
Right. So it sounds like to me, right, that both frameworks, not only both frameworks, but both of them have some fairly good extensibility. There’s some stuff we won’t drill into now, but you’ve got ISO that can [inaudible 00:40:35] CSA stars, you’ve got high trust dovetailing with SOC 2. There’s some new SOC 2, what is the new one? SOC 2 cost security.
Dan Schroeder (40:45):
SOC Cyber Security [crosstalk 00:40:46]
John Verry (40:46):
SOC Cyber Security, right. So the nice thing about all these frameworks is that if you go down one of these mainstream core, there’s a lot of additional meat on the bone that you can leverage downstream if you need.
Dan Schroeder (40:59):
You can’t. And again I think that you can get lost in all that. People always say is this report and that report and I always say, let’s just put that to the side for the time being. Let’s talk about what you need to get out of a) from your own risk management and b) from conveying assurance. And then when you do that it will take you down the path of understanding the pros and cons of whatever the report protocol is.
John Verry (41:21):
Agree completely.
Dan Schroeder (41:22):
So we always look at that as don’t let the tail wag the dog sort of thing.
John Verry (41:25):
Right. I hope so. So we’re in total agreement that you can’t go wrong with either and it’s just a matter of where you are. Let’s talk a little bit about dollars and cents because that’s going to be a big part of the decision. So I’ll start. So from a consulting perspective the cost to get you prepped for ISO or SOC 2 is pretty similar. It might be off a little bit one way or the other, but I think the broad range that you’ll see with good consultants, probably 40 grand on the low end, 100 grand on the high end for somebody to come in depending on the complexity of your environment, to come in, stand up a full information security program that’s going to align with one framework or the other and position you for successful certification. Let’s talk a little bit about from your side of the fence, what are the typical prices and how do they differ between ISO and SOC 2 for the certification, registrar, CPA side of the equation?
Dan Schroeder (42:17):
You know ISO is a little bit different because some folks may know that ISO is a three year certification.
John Verry (42:23):
Mm-hmm (affirmative)
Dan Schroeder (42:23):
And so you’ll do the readiness that you talked about and we do what we talked about earlier of a stage one or a stage two to ultimately issue a certification. And then that certification is a three year certification that needs to be maintained, it needs to be proven to have been maintained by way of two surveillance audits.
John Verry (42:43):
Mm-hmm (affirmative)
Dan Schroeder (42:44):
So within one year of the issuance of the certification, the organization that was certified needs to subjected to what’s called a surveillance audit and a surveillance audit essentially is a lighter touch but it’s a means where there are procedures that the certifying body executes to see that that system that was deployed and proven to be in place a year ago is still effectively in place.
John Verry (43:08):
Mm-hmm (affirmative)
Dan Schroeder (43:09):
And to your point earlier John, the construct of ISO, it has sustainability. It is a system, it is put in place, it has forward motion, it has [crosstalk 00:43:22] mechanisms in place to be self sustaining and ideally continuously improving.
John Verry (43:27):
Mm-hmm (affirmative)
Dan Schroeder (43:27):
So in the surveillance audit, it’s a means of looking across, it’s a test of various controls to see whether they’re in place to do some sampling across the various controls as well as what we always think is important is some emphasis on the monitoring and the internal audit program.
John Verry (43:42):
Mm-hmm (affirmative)
Dan Schroeder (43:43):
So the monitoring and the internal audit program is in place with the organization. That and it’s feeding up and it’s doing the right sorts of things in terms of driving visibility and driving continuous improvement, corrective action, then the system will be healthy, the system will be sustainable. That needs to happen on year two and three. But the nature of the surveillance relative to the initial certification as you may know is about half the effort or less. So the cost to do that is about half or less.
John Verry (44:10):
Mm-hmm (affirmative)
Dan Schroeder (44:10):
Of the initial certification. The initial certification is not unlike the cost associated with a type one SOC 2 in a base audit. Probably on the low end for us in the mid twenties, thirties, somewhere in that range depending upon the scope of the organization. Could be a lot more depending on the number of organizations [crosstalk 00:44:33]
John Verry (44:34):
If you’re auditing 20 locations.
Dan Schroeder (44:35):
How global it is, et cetera et cetera. The scope of the business system because the array of the scope that could be from ISO could be from an enterprise all the way down to a small business, a particular service. That’s the classic answer of it depends, but for ballpark purposes, it’s kind of…
John Verry (44:52):
I usually say for a smaller organization, single location, you just don’t have an HQ.
Dan Schroeder (44:58):
Right.
John Verry (45:00):
Low twenties through mid thirties?
Dan Schroeder (45:01):
Yes.
John Verry (45:03):
It seems in that sweet spot of 28 to thirty thousand. For a high quality firm like yourself.
Dan Schroeder (45:07):
And listen, we’ve had conversations, I had a conversation with somebody this past week and they were looking for, we’re more of a higher touch, premium firm. When you work with Aprio there’s different approaches to do all this.
John Verry (45:20):
Mm-hmm (affirmative)
Dan Schroeder (45:21):
There’s some reputable firms that have a different model than Aprio does. When you work with Aprio you know who you’re going to be, who’s going to be doing your audit.
John Verry (45:28):
So just to be clear, what you’re saying, and this is a big difference between different registrars and the call structures is many registrars just use 1099’s that they’re just pulling of the…
Dan Schroeder (45:39):
That’s right, that’s right.
John Verry (45:40):
So you guys can pull your own auditors.
Dan Schroeder (45:42):
That’s right.
John Verry (45:43):
So there’s a consistency to the audit, the audit process to the way that it works. There’s the capability that you can reach out to them mid audit cycle and ask a question, you have the same people coming in year after year.
Dan Schroeder (45:55):
Absolutely. So we look at it as a three year relationship, not an audit.
John Verry (46:00):
Not three year [crosstalk 00:46:04]
Dan Schroeder (46:04):
Or three audit cycles where it’s two or three days a piece or whatever else, our business model, the way that we compete is we really focus on the relationship, we really focus on having our client’s back and making sure that when they get a report they can have some comfort that the right things are happening from security.
John Verry (46:21):
Right.
Dan Schroeder (46:21):
And then SOC and ISO, you may know that there’s still a lot of variation out there. [crosstalk 00:46:30]
John Verry (46:29):
I do want to make sure we get the dollars and cents thing because that’s such an important part of the conversation [crosstalk 00:46:34]. So if you were just using that number of 28,000.
Dan Schroeder (46:38):
Right.
John Verry (46:38):
In year one for the certification audit.
Dan Schroeder (46:41):
Right.
John Verry (46:41):
Roughly 15 to 20,000 in year two and year three [crosstalk 00:46:45]
Dan Schroeder (46:45):
That’s right or around that[crosstalk 00:46:48]
John Verry (46:47):
I usually say 50 to 75% depending on how you structure things.
Dan Schroeder (46:49):
Yeah.
John Verry (46:51):
Okay cool. So now let’s kind of take the peer organization and let’s talk about SOC 2 costs.
Dan Schroeder (46:57):
Right.
John Verry (46:59):
How would the SOC 2 costs compare?
Dan Schroeder (47:00):
Well so SOC 2, different construct involved. Most companies that do SOC 2 end up doing a Type 2 report.
John Verry (47:06):
Yes, absolutely. I think that’s the only way to do it.
Dan Schroeder (47:09):
So it’s not just designed to deploy so essentially the certification but then there’s ongoing operational effectiveness. A lot of times we’re standing them up and they need, a lot of times, companies are getting stood up for the first time, they need a SOC 2 type 2 as quickly as possible.
John Verry (47:24):
Yep.
Dan Schroeder (47:24):
A lot of times that means a six month report. We’ve got a number of client’s who are tech companies that have got a new business model going on, there’s pressure. Maybe they’ve put this off too long. And we’ll do something like a three month report.
John Verry (47:35):
But typically, six months is usually the minimum that I think [crosstalk 00:47:39] and a year, once you get past the first one, it’s a year cycle.
Dan Schroeder (47:42):
Once you do the first six months then you roll into a 12 month report.
John Verry (47:46):
Okay, and so let’s get to the cost there so we can kind of have an apples to apples for anyone [crosstalk 00:47:53]
Dan Schroeder (47:52):
Because of the nature of it, because of the actual system description that’s involved, because of all the inspection of all the design and controls and the writing as well as all the other stuff that’s part of the ISO right? So it’s a lift.
John Verry (48:04):
Yep.
Dan Schroeder (48:04):
So it certainly is more that is done. We’re looking from the low forties to 75, 80, 90 could be [crosstalk 00:48:13]
John Verry (48:13):
But you get to 90 and you’re using all the trust services criteria [crosstalk 00:48:19] Just to be fair to not make SOC 2 seem crazy different from ISO, if you were just doing security and availability for a quality firm, not Mells accounting and you see some low ball numbers out there, but for a firm like yours, isn’t it usually in the forty ish 40, 45 [crosstalk 00:48:35]
Dan Schroeder (48:35):
45, 55 something like that. Okay, right.
John Verry (48:40):
And the difference is that it’s not you’re charging more, it’s because of the nature of SOC 2 and the fact that it’s a test of many. You’re doing a lot more auditing in a SOC 2 right?
Dan Schroeder (48:53):
You are and I will tell you this as well, you’re doing a lot more auditing. There is a lot more fine tuning of getting the words right because there’s a lot of words in that report, that system description that gets presented. The actual documentation, the design of the controls, all the wording is, that gets inspected, there’s a lot of feedback and those are continuously being tweaked as well.
John Verry (49:15):
Mm-hmm (affirmative)
Dan Schroeder (49:17):
So there’s just a lot more associated with an SOC 2 report.
John Verry (49:20):
So in a weird way, you pay more but you are getting more assurance. In a strange way, if you’re the recipient, not necessarily the person receiving the report from the client. But if you’re a manager of an organization and you really want to be secure, both ISO and SOC 2 will get you there but you know that an auditor spent a lot more time verifying that you’re secure in a SOC 2 versus an ISO.
Dan Schroeder (49:44):
I think so. I think so too. Let me point out one other thing that we’ve got a perspective on and I’m interested to hear your perspective on this too John, and that is the role of the internal audit requirements. So the nature of the internal audit requirements for ISO 270001.
John Verry (50:02):
And that’s actually an interesting thought. I never thought about that but in fairness to your cost structure for SOC 2, you don’t have the requirement of an ISMS internal audit in SOC 2. You can do one and it’s not a bad idea but you’re right, if you want to be fair, if you’re doing the ISO audit at 28, you already did your own internal audit. Usually you’re paying an external consultant and usually that external consultant is charging you 12, 15,000 for the audit anyway.
Dan Schroeder (50:29):
But let me tell you.
John Verry (50:29):
That would be fairly similar right?
Dan Schroeder (50:30):
Well let me tell you this. So this is a discussion that we’ve had over the years with [inaudible 00:50:35] that’s the organization, that’s the accreditation body that accredits Aprio for this and that is how SOC 2 related output.
John Verry (50:45):
Mm-hmm (affirmative)
Dan Schroeder (50:46):
The testing from SOC 2 can be an input into the internal audit program for ISO 27001. So sometimes organizations that have ISO 27001 programs pay for an internal audit. Maybe they’ve got their own resources or they pay for somebody to come in.
John Verry (51:02):
We do 100 internal ones a year.
Dan Schroeder (51:04):
So if you’re doing an SOC 2 audit and you structure that testing throughout the year, you structure that in a manner that would align with maybe the inputs, the needs or inputs for an internal audit.
John Verry (51:14):
Mm-hmm (affirmative)
Dan Schroeder (51:15):
For example, a phased approach to testing that output that we produce, we can’t act if we’re doing SOC 2 and ISO, we can’t act as internal audit.
John Verry (51:24):
Right.
Dan Schroeder (51:25):
But the output from SOC 2 if it’s done and aligned to meet the needs of ISO can serve as input into the internal audit program so that the organization does not have to stand up and face [inaudible 00:51:36] for internal audit costs.
John Verry (51:37):
So I think what we’re saying is that if you really want to do things, awesome. The combination of the two frameworks is a little unbeatable. I mean both of them are good by themselves, but when you look at the strength and weaknesses of each, if you do end up with both. And remember, what the whole purpose of this was ISO, SOC 2 or both. So I think we’re in agreement that you can start with ISO, you can start with SOC 2, that’ll be enough to make your clients happy more likely than not.
Dan Schroeder (52:03):
Right, right.
John Verry (52:04):
But if you get to the point where you want to hold your own feet to a greater fire, the combination of the two of them is pretty damn good.
Dan Schroeder (52:10):
It is, you’re going to pay a premium as opposed to just one but it’s not [inaudible 00:52:17]
John Verry (52:17):
Yeah.
Dan Schroeder (52:18):
And if you look at it another way, if you look at the cost of a breach, if you look at the cost of losing a key client, I mean I’m sorry but you’re talking about your audit costs in a given year being 50 grand versus 80 grand? I mean and the cost of a breach being in the millions? It’s a pretty cheap form of insurance I think.
John Verry (52:39):
For the right firm.
Dan Schroeder (52:40):
And I think then if you throw in some other benefits, that it just says hey, maybe this is, it shortens the sale cycle, maybe…
John Verry (52:49):
The marketing value. [crosstalk 00:52:51]
Dan Schroeder (52:50):
It minimizes the onsite audits.
John Verry (52:53):
That’s right.
Dan Schroeder (52:54):
It simplifies the process of responding to surveys and questionnaires and due diligence and all the rest of that sort of stuff. So we get more and more companies that we’re speaking to that, and we don’t start off by saying hey, you should go get both of these.
John Verry (53:07):
No.
Dan Schroeder (53:09):
We have the conversation, we start talking about their needs. It’s not uncommon these days for people to say okay yeah and that’s how we want to do ISO or that’s how we want to do SOC 2. You’ve got it all framed up in terms of [inaudible 00:53:19] and they say and Dan, when we get that done then we want to talk to you about doing the other one.
John Verry (53:24):
Right. [crosstalk 00:53:26] so we do the same thing and honestly, if anyone who is listening is thinking about doing ISO and SOC 2 or is looking at doing ISO and 27701, I mean, there is a little bit more risk, it extends the timeline to do them both concurrently but all in all there’s a cost savings. Because when you think about it, ISO and SOC 2 have more analogs than they do differences. You’ve got a scope system in ISO that we’ve got right.
Dan Schroeder (53:50):
Right.
John Verry (53:51):
Which is a very shorthand version of the system’s description. In ISO we’ve got the concept of a statement of [inaudible 00:53:59] again a very shorthand description of a controls description from the SOC 2 world. So you’ve got the same ideas that happen in both, if you do them both at the same time there’s not a lot of reworking. I don’t think you can go through wrong. So wrap it up here. Any final thoughts, I think we beat the hell out of this pretty good. And probably a lot more than people actually wanted to hear us do because you and I could [inaudible 00:54:19] down on this stuff so mercifully are we done?
Dan Schroeder (54:22):
We’re done, we’re good.
John Verry (54:24):
I always ask this question. You and I work in the same field, we deal with the same people all the time. So I want you to think of either, what fictional character or real person that you know do you think would make either an amazing or a horrible CSIO? [inaudible 00:54:41] security director, CSIO, whatever you want it to be and why?
Dan Schroeder (54:43):
Oh jeez, I don’t know. I have the good fortune of knowing some really terrific CISOs and they’re a unique breed.
John Verry (54:54):
So what makes them great?
Dan Schroeder (54:56):
Oh gosh. I think they’re just calm and they’re just smart and they can just deal with, it’s a cliché but they’re comfortable with a board and they can have some of the most in depth, detailed conversations to understand what’s going on in the infrastructure.
John Verry (55:18):
So it’s like Deepak Chopra. Is your ideal CISO?
Dan Schroeder (55:24):
Probably, probably so. It’s hard to be more calm than Deepak. I think Oprah would agree with you.
John Verry (55:34):
All right, we’re going to go with Deepak Chopra for a hundred. Last question, again, you talk every day to the same kind of people that we talk to. So based on this conversation, what might be a good subject to for future podcaster?
Dan Schroeder (55:47):
Risk assessment and the linkage to risk management.
John Verry (55:50):
So you and I really need to talk I owe you a demo from the stuff that we’re doing there. I agree with you completely. It’s unbelievable to me that risk assessment is the foundation of information security and yet it’s not science it’s art, it’s black magic. It’s so poorly done everywhere.
Dan Schroeder (56:12):
And you know what, if you were like me John, you were probably making that same statement five years ago.
John Verry (56:16):
I was making that same statement 20 years ago. [crosstalk 00:56:20]
Dan Schroeder (56:20):
And what’s so interesting is you get into PCI or SOC or ISO or anything from this [crosstalk 00:56:28]
John Verry (56:27):
Is only as good as your risk assessment.
Dan Schroeder (56:29):
What is the cornerstone of all of that? And that is the thing that every, virtually every organization confuses and they lose track of that in terms of, but there’s, you and I would agree that there’s value to be had there.
John Verry (56:42):
Mm-hmm (affirmative)
Dan Schroeder (56:44):
There’s a role to be played with that information risk assessment in terms of how it can strengthen all the sorts of things that we talked about. But I think it’s astounding that in 2020 that that subject is so poorly understood.
John Verry (57:00):
I couldn’t agree with you more. All right before we sign off, if somebody wanted to get in touch with you, what’s the best way to get in touch with you?
Dan Schroeder (57:10):
You know, LinkedIn, a great place for that sort of thing, but if you just Google me, Dan Schroeder, with Aprio, you’ll find me speak a fair amount, write a fair amount, find me on LinkedIn. There’s a lot of Dan Schroeder’s of course [crosstalk 00:57:19]
John Verry (57:19):
But you’re the good looking on on LinkedIn. [crosstalk 00:57:25] Well if they’d watch the video they would know. [crosstalk 00:57:31] well awesome thank you for coming in, and we’re going to wrap up.
Dan Schroeder (57:36):
I enjoyed it John, thanks a lot.
Narrator (57:37):
You’ve been listening to the Virtual CISO podcast. As you’ve probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.