Posted by Kimmo Koivisto
We sometimes receive inquiries from our customers about why we have an ISO 27001 certificate but not a SOC 2 attestation. We feel that they are competing standards with a lot of similarities. Both are targeted at improving information security management, and they share multiple requirements. While they overlap, they also differ. Below is our take on the differences and why we feel ISO 27001 is more suitable for us.
|Issue or Area||SOC 2||ISO 27001|
|Target audience||North America||International|
|Focus||Adherence to trust principles during a period of time in the past||Information Security Management System's compliance and adaptation now and going forward|
|Applicability||More applicable to datacenter operators and similar||More applicable to software providers like us|
|Best use||Measure and demonstrate how a service organization has fulfilled their security principles and criteria last year||Implement, maintain and improve an ISMS (Information Security Management System)|
|Difficulty to obtain||Medium||High|
|Proof of compliance||Independent attestation by professional accountant organization||Certificate by ISO approved certification body|
|Customer preference||Rarely||Almost all customers|
In short, we feel that the ISO 27001 certificate provides more business value to an international software provider like us. If you have further questions, please contact your sales representative or account manager.