Hand holding a floating shield & checkbox

Demystifying SOC 2 Type 2 and ISO 27001/ISO 27018 Compliance

An Overview of the Key Industry Certifications for Protecting Customer Data

It’s not easy to evaluate technology vendors’ ability to protect your customers’ personal data. The stakes are high, with data breaches ever-lurking and criminals continuing to find clever ways to circumvent common multi-factor security measures.

The task is also complex. As organizations move more data to the cloud, they must control and oversee more security standards and best practices. How can third parties prove their ability to protect your company’s data? Which certifications should you look for? This post will highlight three of the most prevalent standards: SOC 2 Type 2, ISO/IEC 27001 and ISO/IEC 27018.

The Confusing Overlap Between SOC 2 Accreditation and ISO 27001 and ISO 27018 Certifications

Standard Commonly Called SOC Tpe 2, SOC Type 1ISO 27001ISO 27018 Governing/Publishing Body American Institute of Certified Public Accountants (AICPA)International Organization for Standardization (ISO)International Organization for Standardization (ISO) System and Organization Controls(SOC) for Service OrganizationsISO/IEC 27001ISO/IEC 27018:2019

Let’s begin with the similarities. SOC 2, ISO 27001 and ISO 27018 all describe auditing procedures, or sets of rules, that auditors use to evaluate the expertise and practices of companies that handle and secure sensitive information, including those related to Software-as-a-Service (SaaS) offerings. These codes have been written in collaboration with numerous information security and cloud computing experts organized by two distinct bodies, the American Institute of CPAs (AICPA) and the International Organization for Standardization (ISO) out of Switzerland.  

The other main thing they have in common is that adherence is optional. None of these standards is required by any specific regulation, from the Health Insurance Portability and Accountability Act (HIPAA) to the Payment Card Industry Data Security Standard (PCI-DSS). But to say that they aren’t required is not to say that they aren’t powerful indicators of competency.

The key force driving the adoption of these standards is the market. Understandably, companies are seeking objective reassurance that any operator handling their data is able to maintain the highest levels of security — especially in industries like financial services and healthcare, that are continually battling the threat of fraud.

Where the Differences Lie

ISO/IEC 27001 deals with information security management. ISO27001 is a technology-neutral standard that details a six-part approach for constructing a model information security management system (ISMS). Its scope encompasses all legal, physical and technical controls related to keeping information assets secure.

ISO/IEC 27018:2019 on the other hand, is a code of practice specifically related to the protection of personally identifiable information (PII) in public clouds. Certification to ISO27018 means that an independent authority has verified that a company has a system of controls in place to protect the privacy of this particular type of data — for themselves and their clients.

SOC 2, like ISO27018, was specifically designed for service providers that store customer data in the cloud. Like the ISO standards, SOC 2 provides for third-party validation of these capabilities. SOC 2 criteria are intended to meet the need of a broad range of organizations, and since its introduction in 2009, it has become a de facto prerequisite for businesses wanting to protect their customer information.

SOC 2 Type 1 Versus SOC 2 Type 2: Which Is Better?

It’s important to know that SOC 2 audits can take multiple forms, Type 1 and Type 2. These two types cover the same five principles:

  1. Data processing and storage availability
  2. Confidentiality
  3. Security
  4. Privacy
  5. Processing integrity

But they differ both in depth and scope.

An easy way to think about the difference between Type 1 and Type 2 is that one describes the design (Type 1), while the other deals with the practice (Type 2). Type 1 is about an organization’s blueprint for compliance — what they set out to do. Type 2, on the other hand, is an evaluation of what they actually do, as observed by an auditor over a set period of time.

This distinction is why SOC 2 Type 2 has become the gold standard for evaluating potential cloud service providers. SOC 2 Type 2 compliance takes longer to attain, but its presence holds more weight than Type 1.

What This All Means for Organizations Seeking to Secure Customer Data

A basic awareness of each of these standards, what they cover, and how they differ from one another is an important step in selecting an information security provider of any kind. Any time your organization trusts another one with customer data, every assurance must be taken to maintain privacy.

For this reason, many organizations have historically preferred on-premise solutions over cloud-based offerings. However, cloud-based IT solutions are increasingly being recognized as on par with their on-prem counterparts. And a big part of that shift has been driven by the growing adoption of the stringent codes outlined in this piece.

For seamless identity authentication trusted by numerous consumer banks, HID Global offers a cloud-based authentication platform that is SOC 2 Type 2 and ISO 27001 certified.