Why Your Organization Should Consider Combining Your ISO and SOC Audits

Many service organizations can become overwhelmed by the various security-related compliance requests from their customers. A service organization may consider adopting a new framework to maintain continued credibility, gain new market share or stem the volume of compliance-related requests. The good news is that many frameworks have overlapping control objectives and requirements. However, most service organizations are unsure how to comply with multiple frameworks efficiently.

This article focuses on efficiently merging your efforts around ISO 27001:2022 and System and Organization Controls (SOC) 2 frameworks. All service organizations can benefit from combining the internal audit requirements of ISO 27001:2022 with their SOC 2 attestation efforts.

Identifying the Players

International Service Organization (ISO) 27001:2022

ISO 27001 is an international standard that requires establishing, implementing, maintaining and continually improving an information security management system (ISMS). An ISMS is a set of policies, procedures and controls that help an organization manage its information security risks and objectives. This standard applies to any organization regardless of size, type or nature and has a defined internal audit requirement (Clause 9.2).

American Institute of Certified Public Accountants (AICPA) SOC 2

SOC 2 is a framework developed by the AICPA that evaluates the effectiveness of a service organization's controls against defined Trust Services Categories (TSC). The security category is required, while the availability, processing integrity, confidentiality and privacy categories are optional. This framework applies to service organizations providing hosted services to their customers.

Understanding the Requirements

ISO 27001:2022 Internal Audit Requirements (Clause 9.2):

ISO 27001:2022 requires organizations to conduct internal audits at planned intervals to ensure the ISMS and information security controls conform to the organization’s requirements and the international standard. This requirement focuses on the ISMS’s effectiveness, including the performance of security controls and risk management processes as represented by the required Clauses and Annex A controls.

NOTE: External audit requirements exist from accredited certification bodies but are not the focus of this article.

SOC 2 External Audit Requirements:

SOC 2 audits involve an examination by an independent CPA firm to assess the design and effectiveness of controls related to the AICPA TSC. The SOC 2 audit focuses on the design and operating effectiveness of the hosted system and its supporting controls to address the specified TSC.

Why to Combine

Clause 9.2 of ISO 27001:2022 requires periodic internal audits. Based on external audit guidance, best practices, and a conservative approach, we interpret periodic as an annual internal audit.

While the SOC 2 doesn’t have a required external audit cadence, most service organizations have their SOC 2 Type 2 audit performed semi-annually or annually.

Service organizations complying with SOC 2 and ISO 27001:2022 may not realize that more than 50% of the controls (often upwards of 70%) defined for ISO 27001:2022 map over the AICPA’s SOC 2 TSCs. The AICPA recognized the value and opportunity of linking with ISO 27001 and published a mapping to the ISO 27001:2013 framework. There is currently no published mapping to the 27001:2022.

Service organizations complying with SOC 2 and ISO can work with the CPA firm performing their SOC 2 Type 2 audit to:

• Map existing Clauses and Annex A controls for ISO 27001:2022 to the AICPA SOC 2 TSC.
• Identify existing ISO Clauses and Annex A controls that don’t directly link to SOC 2.
• Provide evidence to support the “combined” controls and those that don’t directly link to SOC 2.
• Issue a SOC 2 Type 2 attestation opinion.
• Issue an ISO 27001:2022 internal audit report.

Similarly, service organizations complying with ISO 27001:2022 and looking to have a SOC 2 audit performed can work with a CPA firm to perform a readiness assessment and move to a combined SOC 2 Type 2 and ISO 27001:2022 internal audit (Clause 9.2) by:

• Mapping existing ISO 27001:2022 Clauses and Annex A controls to the AICPA SOC 2 TSC.
• Identifying gaps where existing ISO 27001:2022 Clauses and Annex A controls do not address the SOC 2 TSC.
• Providing a remediation roadmap for management to remediate the gaps identified and implement controls that address the SOC 2 TSC.

Finally, service organizations that have a SOC 2 Type 2 audit performed and are looking to achieve ISO 27001:2022 compliance can work with a CPA firm to perform a readiness assessment and move to a combined ISO 27001:2022 internal audit (Clause 9.2) and SOC 2 Type 2 audit by:

• Defining the scope of the ISMS.
• Mapping existing SOC 2 controls to ISO 27001:2022 Clauses and Annex A controls.
• Performing a risk assessment and completing the ISO 27001:2022 gap assessment
• Providing a roadmap for management to remediate the identified gaps and implement the appropriate controls that address the ISO 27001:2022 Clauses and Annex A controls.

Benefits of Combining

The most beneficial reason for combining the ISO internal audit and SOC 2 attestation efforts is that they become a single audit exercise. A singular audit will help reduce control owner “audit fatigue,” align the testing windows and provide for a seamless audit approach. Additionally, this combination will result in a reduction in the cost of two separate audits. The bulk of the effort to combine the two audits falls to the CPA firm, who will handle the behind-the-scenes work of mapping and streamlining the efforts. The service organization will provide the same evidence they have in the past - just consolidated at a point in time.

If you have questions about combining your ISO 27001:2022 and SOC 2 audits, the Moore Colson Risk Advisory team can help. Don’t hesitate to contact us for more information.