Businesswoman holding tablet pc entering password. Security concept.jpeg

Digital M&A Security: Comparing ISO 27001 with SOC2

Posted by Kimmo Koivisto

We sometimes receive inquiries from our customers about why we have an ISO 27001 certificate but not a SOC 2 attestation. We feel that they are competing standards with a lot of similarities. Both are targeted at improving information security management, and they share multiple requirements. While they overlap, they also differ. Below is our take on the differences and why we feel ISO 27001 is more suitable for us.

Issue or Area SOC 2 ISO 27001
Target audience North America International
Focus Adherence to trust principles during a period of time in the past Information Security Management System's compliance and adaptation now and going forward
Applicability More applicable to datacenter operators and similar More applicable to software providers like us
Best use Measure and demonstrate how a service organization has fulfilled their security principles and criteria last year Implement, maintain and improve an ISMS (Information Security Management System)
Difficulty to obtain Medium High
Proof of compliance Independent attestation by professional accountant organization Certificate by ISO approved certification body
Customer preference Rarely Almost all customers

In short, we feel that the ISO 27001 certificate provides more business value to an international software provider like us. If you have further questions, please contact your sales representative or account manager.

Featured posts