October 9, 2019

Last Updated on January 15, 2024

If customers or other stakeholders are asking you for an information security attestation (my guess is they are), which of the leading frameworks do you pick—SOC 2 or ISO 27001? Both enable your organization to demonstrate your IT operations and information security practices are sound.
Based on ten-plus years of experience with both SOC 2 and ISO 27001 as both a practitioner and an auditor, here is what I’ve found to be the two biggest reasons to choose one over the other:
One: Are you doing or planning to do business outside of the US?
If you’re doing or planning to do business globally or anywhere outside the US and Canada, then ISO 27001 is often the better choice for an InfoSec attestation. It’s far more will known than SOC 2 around the world, and much more likely than SOC 2 to be requested specifically in other regions. ISO 27001 is the “Bono” of information security attestations, accepted around the world.
SOC 2 is more the like the Bruce Springsteen of information security attestations, well respected but mostly in the US.
Two: Are you looking to create a robust system and program that enable you to manage information security risk? Or do you just want an attestation to make a statement to your customer base?
With ISO 27001, you build and maintain an information security management system (ISMS). SOC 2 is just an attestation. Therefore, the timeline to a SOC 2 attestation is often quicker than for ISO 27001 certification as fewer deliverables, less methodology and less planning are involved.
So if you just want an attestation and international needs aren’t an issue, SOC 2 is probably the faster, simpler choice.
Doing ISO 27001 right starts with scoping and then risk-assessing the business, followed by a gap analysis, followed by an internal audit to make sure the identified gaps are closed and the required policy documents are in place. Only then do you apply for ISO 27001 certification. If you want to build a comprehensive information security program, then ISO is definitely the way to go.
Most SOC 2 engagements start with a readiness assessment. Then you take one to three months to close the identified gaps, create missing policies, etc. Then you take “the test”—are you compliant with SOC 2 or not?

“ISO 27001 is the “Bono” of information security attestations, accepted around the world. SOC 2 is more the like the Bruce Springsteen of information security attestations, well respected but mostly in the US.”


I acknowledge that some of my colleagues might disagree with the above. As practitioners and stewards of ISO 27001, we believe strongly in its value to protect information assets. It can be hard for people like us to admit that, especially in nonregulated industries, not every company is highly motivated to manage information security risk per se.
But if they don’t experience business drivers beyond the sales and marketing value of an InfoSec attestation, who can blame organizations for not embracing the additional rigor of ISO 27001?
What about cost, you ask? Cost for either attestation varies widely across our industry. Further, the new version of SOC 2 is much more like ISO 27001 in terms of criteria. As a result, cost factors are now probably more likely to be comparable both initially and over time between SOC 2 and ISO 27001.
Here at Pivot Point Security we are framework-agnostic. Contact us to talk over your business drivers and goals for information security attestation. We can help you make the ideal choice between ISO 27001 and SOC 2… and make success a guaranteed reality.