Why ISO 27001 Is Better Than
SOC 2

The Microsoft Supplier Security and Privacy Assurance (SSPA) program requires that its suppliers have an adequate security and privacy program in place to process Microsoft confidential Data or personal data.

As of December 2021, Microsoft states in its SSPA that it will no longer accept SOC 2 reports; instead, ISO 27001 & ISO 27701 are listed as requirements.

• Version 7, Published November 2020 – PAGE 11, 14 & 15
• See Appendix A: SOC 2 reports (with security coverage) will not be accepted beyond December 2021
• Confidential Data Processing: Submit ISO 27001
• Personal, Confidential Data Processing: Submit ISO 27701 & ISO 27001

Microsoft’s “endorsement” of ISO 27001 and ISO/IEC 27701 has broad implications. When an industry leader in data security and privacy, such as Microsoft, formally “endorses” one standard over another in this manner, it is incumbent on other industry leaders industry to follow. This marks a significant shift from the previously-accepted US requirement to comply with SOC 2.

What Is the Supplier Security and Privacy Assurance (SSPA) Program?

The Supplier Security and Privacy Assurance Program is a corporate initiative undertaken by Microsoft to ensure that suppliers comply with Microsoft’s stringent data protection requirements. The Microsoft Supplier Data Protection Requirements (“DPR”) are Microsoft’s baseline data processing instructions for suppliers.

The Microsoft Supplier Data Protection Requirements (MSDRP) describes Microsoft’s data processing instructions, delivered through the Supplier Security & Privacy Assurance Program to suppliers working with Microsoft Confidential Data and/or Personal Data.

The SSPA program covers a wide range of confidential data processing activities, including audit response and reporting; data access management; information security incident management; third-party risk management; privacy impact assessments, and supplier data privacy certifications. Essentially, the SSPA program provides guidance for managing risk related to personal data processing for external parties.

“The SSPA drives compliance to these requirements through an annual compliance cycle; for new suppliers, work cannot start until this is complete. If a supplier is processing Personal Data and/or Microsoft Confidential Data, they will partner with their business sponsor to enroll in the SSPA Program. Suppliers may also be selected to provide independent assurance by completing an assessment against the DPR.”

“Strong privacy and security practices are critical to our mission, essential to customer trust, and in several jurisdictions, required by law. The standards captured in Microsoft’s privacy and security policies reflect our values as a company, and these extend to our suppliers (such as your company) that Process Microsoft data on our behalf.”

In summary, Microsoft Supplier Security and Privacy Assurance (SSPA) is a company-wide program that assures Microsoft suppliers are adequately protected in terms of information security and privacy to be permitted to process personal data, information assets or Microsoft Confidential Data in accordance with Microsoft policies.

Suppose Microsoft does not already authorise a new supplier. In that case, it must demonstrate compliance to Microsoft through ISO 27001 and ISO 27701 certifications or undergo an SSPA assessment by one of Microsoft’s “Preferred Assessors” before approval. Microsoft validates the compliance of its providers on an annual basis.

Why Has Microsoft Dropped SOC 2 in Favour of ISO?

Microsoft’s affirmation of ISO 27001 & 27701 is a decisive vote of confidence in the benefit of ISO 27001 & 27701 certifications to showcase your organisation’s comprehensive infosec & privacy program aligned with important privacy laws and regulations like GDPR, CCPA, POPIA, APPS, and APAC.

• SOC compliance is not internationally recognised, whereas ISO standards are. It is important to point out that ISO 27701 is still up-to-date (published in 2019), which means it closely aligns with international privacy laws and regulations.
• A SOC 2 attestation does not need to be obtained from an independent certification body, which means that it is more open to the possibility of a level of dishonesty akin to marking your own homework.
• A SOC 2 report is usually longer than 100 pages, and third parties rarely give it the scrutiny it needs because they are so lengthy.
• It is important to note that the audits undertaken by SOC 2 can be onerous, tedious, and costly for suppliers.
• Keeping ISO 27001 certification is less expensive than regularly keeping SOC 2 audit attestation programs up to date.
• The cost of maintaining an ISO 27701 certification is notedly lower than that of maintaining a SOC 2 Type 2 with Privacy Trust Services Criteria attestation.
• The management of both security and privacy as a single logical construct within an ISO 27701 Privacy Information Management System (PIMS) is notably easier than running different programs alongside one another.

Is ISO 27001 Better Than a SOC 2 Report?

The intricate details and benefits of the two have been extensively compared in many articles online. The answer to this question is always unsatisfactory: “it depends”, meaning it depends on where you are located in relation to your customers.

In other words, as the advice goes, if most of your clients are located in the United States, then you should go with SOC 2. If most of your clients are located outside the United States, then ISO 27001 would be a good choice. It is fundamentally incorrect and ineffective for transnational organisations, SaaS companies or similar to follow this advice, as it does not work.

SaaS companies, for example, will almost certainly have a mix of domestic and international clients; if not now, then it’s almost certainly on the roadmap in the near future.

Moreover, most companies are becoming increasingly international in their operations, which is why such certification has become a necessity in the first place. In addition, the companies that demand certifications such as ISO 27001 in the first place often operate internationally anyway.

The critical point, however, is the following. We have worked in SaaS and compliance globally for many years at ISMS.online. As far as we know, we have not encountered a situation where a company requested SOC 2 but rejected ISO 27001 when it was offered to them.

So, what’s the main difference? Isn’t one as good as the other? Well, yes and no. Internationally, however, it is quite common for the opposite to occur.

SOC 2 will hold a place for some US-centric organisations, but the smart money is on getting ISO 27001 and where appropriate ISO 27701.

Our recommendation is, therefore, still ISO 27001 over SOC 2 even for US-based companies, with most of their clients based in the US.

Why ISO 27001 Is the Better Choice

It is important to note that the SOC 2 framework is based on five trust principles. These are security, availability, processing integrity, confidentiality, and privacy.

To get a SOC 2 report, you only need to implement the first one, which is security, in your organisation. The rest are just recommended measures that you may or may not take. These measures do not affect your report if they are not implemented within your organisation. In other words, your report will not be affected if your processes are not confidential or if they are not processed with integrity.

There is no doubt that this makes SOC 2 trust services criteria much more flexible and easier. However, it does leave the door open to our natural tendency to want to do the minimum to tick that compliance box.

We can all relate to it, but it doesn’t necessarily mean it’s a good thing. Even though you tick boxes, the report you submit to your auditor at the end of the process doesn’t mean that your processes are secure.

Many companies end up with reports that are ‘tick box exercises’ but not really ‘completed’ or robust compliance mechanisms.

In other words, their reports are incomplete because they don’t demonstrate compliance with all five trust service principles within the SOC type i or type ii framework.

By contrast, ISO 27001 ensures that the controls implemented in your organisation are based upon a risk assessment of your organisation and your information security requirements.

With the proper implementation of an information security management system, you cannot get away with not implementing all the controls within ISO 27001 without good reason.

Your security controls will always be concerned with security, availability, processing integrity, confidentiality, and privacy during the implementation process.

Take a moment to reflect on this for a moment. In terms of protecting your customers’ information, can you really be expected to address security without dealing with customer data integrity, confidentiality and privacy simultaneously?

Furthermore, availability is the most important factor for your customers, coming second only to security in terms of their priorities.

This is particularly important when safeguarding personal information such as credit card numbers and social security numbers. It would be best if you took every precaution to protect this information against theft or misuse by hackers or other malicious parties.

What This Means for Your Business & Next Steps

Due to the numerous advantages that ISO 27001 offers, ISO 27001 & 27701 are the obvious choice(s) if you want to implement a robust information security control framework and not just tick boxes regarding information security, cyber security & privacy.

Implementing an ISMS will go a long way toward helping you achieve regulatory compliance and mitigate the risks of breaches, non-compliance or worse. It helps identify vulnerabilities and weaknesses in your organisation’s cybersecurity posture before they become a problem. This can prevent reputational damage and potential financial penalties/penalties.

ISO 27001 Drives Best Practice & Integrates With Other Standards

One of the main components of ISO 27001 is ISO Annex L, the description of the requirements and characteristics for a generic management system, essentially describing the features and requirements of the system. 

The importance of this point cannot be overstated. Having a management system for your company can go beyond the protecting information assets and privacy. An ISMS promotes strong business practices and better overall organisational performance. This, in turn, enables you to serve your customers better and achieve your business goals faster and more efficiently.

Implementing an ISMS allows you to keep track of current practices, measure performance and target areas for improvement over time. It also helps you maintain a competitive edge through improving customer satisfaction, optimising business operations and identifying growth opportunities.

Though ISO 27001 focuses on information security, Annex L means that it integrates very well with other ISO standards that are also based on Annex L. As part of your overall management system development and improvement activities, you may want to introduce these standards at a later date. There are over 50 ISO standards, including ISO 9001 for quality management and ISO 22301 for business continuity.

Whilst we are not suggesting that you look at these standards, for now, the point is that it is possible. ISO standards and ISMS.online’s Integrated Management System (IMS) platform provides an upgrade path, so you won’t have to buy new software. A silo framework such as SOC 2 doesn’t offer this benefit.

ISO 27001 Costs Less

There is a common misconception that ISO 27001 standard implementation is costlier than SOC 2 implementation; in fact, ISO 27001 certification is cheaper to implement and maintain than SOC 2, and by a reasonable margin.

The ISO 27001 audit is centred on the operation of the Information Security Management System (ISMS) to confirm the proper implementation of Annex A controls, so the cost is less than a SOC 2 audit. Accordingly, the audit samples only technical (Annex A) controls. Due to the lack of an ISMS, SOC 2 audits focus on assessing TSC security controls rather than the ISMS.

A significant benefit of ISO certification is that it is a competitive industry, so you can easily shop around for the best price.

In order to conduct a SOC 2 audit, you must find a company licensed as a CPA (Certified Public Accountant) capable of performing these audits. In Europe, in particular, very few companies do this, and those that do tend to be the larger professional services companies, which means they charge more.

Maintenance & Recertification Costs & Time Frames

Organisations are responsible for maintaining their ISO certification through surveillance (check-up) audits conducted annually or every six months, depending on the size and scope of your organisation in years 2 and 3. These shorter audits are more affordable than the initial audit for certification since they take about a third of the time to complete. During the fourth year, you will be required to undergo complete recertification, and the audit cycle will begin again.

As part of SOC 2, you need a full annual audit to ensure the audit firm’s attestation remains valid. While you will not have to spend the same amount as when you signed up with them for the first time in year 1, the updated audit report will still cost you at least €10,000.

Accordingly, if you assume that everything else is equal, ISO 27001 has a lower price tag than SOC 2 in the long run.

Already ISO 27001 Certified?

If you are already ISO 27001 certified, you can align your privacy program with ISO 27701 guidance and integrate it into your ISMS; this upgrade is known as Privacy Information Management System or PIMS. You can buy the privacy standard and modify the scope of your controls and policies to include PIMS guidance. Work with your auditor to extend your certification scope to include ISO 27701 at your subsequent surveillance or recertification audit.

Already SOC 2 Attested?

Moving from a SOC 2 attestation to an ISO 27001 certification is somewhat involved, but it is not too challenging. You will need to manage risk effectively in ISO 27001, so the SOC 2 security controls you have in place will likely be the same.

You will be required to document your approach and submit it to an independent third-party auditor for approval before you are certified. For smaller organisations, ISMS.online makes ISO 27001 certification is easy to manage in-house without the need for support from a third party consultant.

For larger organisations, outsourcing the ISMS certification process to an independent third party is not uncommon as it ensures the quality and impartiality of your ISMS documentation; again you don’t need to do this with ISMS.online as our Virtual Coach, Adapt, Adopt Add (AAA Framework) and Assured Results Method (ARM) will ensure you have the support needed to achieve certification first time.

Dual SOC 2 attestation and ISO 27001 certification primarily involves layering the ISO 27001 ISMS on top of your existing controls and modifying some of your documentation to reflect the differences in attestation frameworks. ISMS.online provides a clear mapping path between ISO 27001 and SOC 2, simplifying both certification and attestation.

Already SOC 2 Attested (Including Privacy)?

As with the previous scenario, you must also transition the Privacy program to ISO 27001 along with the SOC 2 transition. Once again, the SOC 2 and ISO 27701 mapping within ISMS.online simplifies the transition between the two.

Not SOC 2 Attested or ISO 27001 Certified?

As long as you have a client requesting attestation, you can continue your annual SSPA assessment. Moving toward ISO 27001 and ISO 27701 certification within 12 months is advisable if you are required to prove security and compliance to other stakeholders.

You could focus on ISO 27001 during your first year if you are limited to bandwidth and/or budget, and then address ISO 27701 during your second year when you are conducting your first surveillance audit if you have the resources and/or budget to do so.

How ISMS.online Can Help

As noted earlier, Microsoft has endorsed ISO 27001 over SOC 2, effective December 2021, and whilst this may not mean the timely demise of SOC 2, other multinational companies will likely follow suit with similar requirements from their supply chains.

ISMS.online gets you ready for ISO27001 certification by automating many of the tasks involved. Once you onboard your company to ISMS.online, our platform provides the mapping blueprint, tools, frameworks, policies, controls, actionable documentation, and guidance to help you meet every ISO 27001 requirement and SOC 2 control.

Click here to to book a demo.