What is the difference between ISO 27001 and SOC 2?

ISO 27001 (applicable for organizations of any size or industry internationally) is a standard that establishes requirements for an Information Security Management System (ISMS) and SOC 2 (applicable for service organizations in any industry in the United States) refers to a set of audit reports to evidence the level of conformity to a set of defined criteria (TSC). ISO 27001 is designed to define, implement, operate, control, and improve overall security, while SOC 2 is intended to prove security level of systems against static principles and criteria.

When is ISO 27001 certification required?

Companies who use data handling or technology services often require their providers to be ISO 27001 certified so that they are compliant with the EU’s GDPR (General Data Protection Regulation) .

Who needs to be ISO 27001 certified?

ISO 27001 can be required in any sector where data confidentiality is critical, for example: healthcare, banking, HR, etc.

What does the IEC 27001 standard cover?

The standard ISO IEC 27001 defines the requirements for a certifiable information security management system (ISMS) of an organization. This includes, but is not limited to: The organization has established a suitable information security management system, including mechanisms for risk identification, self-assessment, preventive and corrective actions and continuous improvement. The organization has defined a plausible security level for the information processed by the organization. Within the scope of risk assessment and management, the organization has identified and implemented suitable measures to ensure information security.

How long is an ISO 27001 certification valid?

Organizations that achieve ISO 27001 certification are subject to yearly surveillance audits to confirm continued compliance with the requirements of the standard. A full recertification audit is required every third year following initial certification.

How much does ISO 27001 certification cost?

In line with ISO/IEC 27006 and accreditation requirements, the cost depends on, among others, the number of employees, IT complexity and the number of sites. For an estimated cost, contact us .

ISO 27001 Certification & Auditing

Secure Knowledge and Information

ISO 27001 Certification & Auditing ISO/IEC 27001, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is the leading standard for information security management systems (ISMS). Organizations implement and maintain an ISMS to protect critical data, mitigate risk, ensure stable operations, and provide confidence to stakeholders and customers.

TÜV SÜD's Services

Our auditors possess the accreditation and expertise to conduct ISO 27001 audits across many industries. Through our worldwide network of professionals, we can provide certification services no matter where you are. Our experts adopt a holistic approach for your information security certification. What’s more, our status as an independent certification body ensures that the TÜV SÜD certification mark is accepted worldwide, making it a powerful tool for distinguishing your company in the market. We also offer a training courses that provide an overview of the standard’s requirements, helping your employees prepare for ISO 27001 assessment.

ISO 27001 Framework

The ISMS standard framework helps companies to increase information security levels whilst improving cost-efficiencies. Watch the video to learn more about the benefits of an ISMS based on ISO 27001.

The information security standard seeks to uncover any potential problems that could arise through a risk assessment before defining what can be done to mitigate these risks. So begins the cycle: identifying possible risks, systematically treating said risks, and finally, implementing security controls.

ISO 27001 certification then requires manufacturers to list all controls that are to be implemented in the Statement of Applicability (SoA). An SoA is the primary physical documentation that links your risk assessment and risk treatment plan, so it is a crucial part of any ISMS.

ISO 27001 certification also outlines a set of policies, procedures, plans, records, and other documented information required for compliance. It is often compared to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and Control Objectives for Information and Related Technology (COBIT) created by the Information Systems Audit and Control Association (ISACA) as they are all industry-leading approaches to information security.

However, while NIST CSF is more security control-focused with a wide range of groups to facilitate best practices related to federal information systems, ISO 27001 is less technical and more risk-focused for organizations of all types.

Manage Information Security Risk

The ISO/IEC 27001 standard outlines a risk management process involving people, processes and IT systems, thereby providing a holistic approach to information security. The video below gives a step-by-step introduction to the principles of risk management according to the ISMS standard and can serve as a helpful guideline for the implementation of your InfoSec system.

The Implementation Process

Identify the Risk - Start by classifying your information assets. Determine which ones are critical to the operation of your business. Next identify relevant vulnerabilities. Consider factors that could pose an actual threat. Risk emerges when assets, vulnerabilities and threats overlap.
Assess the Risk - Apply a risk assessment methodology to evaluate if the identified risk is acceptable or if it will be necessary to take action.
Outline Measures That Could Help Reduce the Risk to an Acceptable Level - The measures or controls can be organizational such as new policies or procedures or they might be technical such as a patch or a virus scan. Start with the implementation of the most critical controls. An implementation plan is useful for setting priorities and timelines and for allocating the required resources. Be sure to monitor your information security efforts and document their effect. Bear in mind that continuous assessment and improvements are vital as business requirements and threat landscapes are dynamic factors.

ISO 27001 Certification Process

Prepare a gap analysis to define the scope of the ISMS.
Perform an implementation plan.
Perform a pre-audit.
Step 1 audit with TÜV SÜD auditors.
Step 2 audit with TÜV SÜD auditors and close any non-conformances.
Receive your audit report and certificate after approval by the committee, and initiate annual surveillance audits.

--------------------------------------

AMENDMENT ISO/IEC 27006

The international rules we are obliged to follow as a certification body are constantly reviewed and monitored by the respective committees. This process resulted in an amendment of ISO/IEC 27006, which is the relevant standard for certifying ISO/IEC 27001, published in March 2020. As result, TÜV SÜD Management Service GmbH must implement the rules given in this amendment by end of March 2022, including a verification by our accreditation body, Deutsche Akkreditierungsstelle GmbH. TÜV SÜD Management Service GmbH strives to finalize this change as fast as possible. Part of the requirements for implementing the amendment is to inform existing customers about this change.

The requirements for your information security management system do not change with this amendment, only the internal processes of the certification body are affected.

FAQ

What is the difference between ISO 27001 and SOC 2?

ISO 27001 (applicable for organizations of any size or industry internationally) is a standard that establishes requirements for an Information Security Management System (ISMS) and SOC 2 (applicable for service organizations in any industry in the United States) refers to a set of audit reports to evidence the level of conformity to a set of defined criteria (TSC). ISO 27001 is designed to define, implement, operate, control, and improve overall security, while SOC 2 is intended to prove security level of systems against static principles and criteria.
When is ISO 27001 certification required?

Companies who use data handling or technology services often require their providers to be ISO 27001 certified so that they are compliant with the EU’s GDPR (General Data Protection Regulation).
Who needs to be ISO 27001 certified?

ISO 27001 can be required in any sector where data confidentiality is critical, for example: healthcare, banking, HR, etc.
What does the IEC 27001 standard cover?
The standard ISO IEC 27001 defines the requirements for a certifiable information security management system (ISMS) of an organization. This includes, but is not limited to:
- The organization has established a suitable information security management system, including mechanisms for risk identification, self-assessment, preventive and corrective actions and continuous improvement.
- The organization has defined a plausible security level for the information processed by the organization.
- Within the scope of risk assessment and management, the organization has identified and implemented suitable measures to ensure information security.
How long is an ISO 27001 certification valid?

Organizations that achieve ISO 27001 certification are subject to yearly surveillance audits to confirm continued compliance with the requirements of the standard. A full recertification audit is required every third year following initial certification.
How much does ISO 27001 certification cost?

In line with ISO/IEC 27006 and accreditation requirements, the cost depends on, among others, the number of employees, IT complexity and the number of sites. For an estimated cost, contact us.