ISO 27001 vs. ISAE/SOC

Why it sometimes makes sense to compare apples and oranges

Ralf Hofstetter

Ralf Hofstetter
Director for Trust & Transparency Solutions
PwC Switzerland    

Cristian Manganiello

Cristian Manganiello 
Partner for Risk and Compliance Management Services
PwC Switzerland

“We have ISO 27001 certification. Do we also need an ISAE/SOC assurance report?” We often hear this simple question. The answer is far less simple, because two certification concepts are being juxtaposed when it is very difficult to compare them. In this blog post we shed some light on the two worlds to explain their advantages and disadvantages. And finally, we reformulate the question.

ISO 27001

ISO/IEC 27001 – ISO 27001 for short – is an international standard for information security in private, public and non-profit organisations. It is part of the ISO/IEC 2700x family of standards and was published by the International Organization for Standardization (ISO). The principle-based standard describes the requirements for establishing, implementing, operating, optimising and updating (continuous improvement process) a documented Information Security Management System, which is developed on the basis of the families of standards from a total of six standards: ISO 27001 to 27005.

ISO certification is issued as a one-page certificate by accredited ISO auditors and reflects the situation on a given date. Until now, many companies have regarded ISO 27001 as a yardstick for the maturity of their own information security. But as risks are constantly evolving and penalties for errors and omissions are becoming stricter, it is not surprising that the required level of security for data and processes is increasing and a broader view is needed. 

ISAE 3402 and SOC 1®

If a company outsources processes relevant to accounting and financial reporting, it must ensure that an appropriate internal control system and risk management are in place and effective. The outsourcing company and its statutory auditor must establish what internal controls the contracted service companies have in place. These service organisation audits are time-consuming and expensive. 

The responsible auditing bodies have recognised this problem. The International Auditing and Assurance Standards Board (IAASB) has issued the International Standard on Assurance Engagements 3402 (ISAE 3402). The US equivalent is called the SOC 1® report and is based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). 

The purpose of both of these assurance engagements is to evaluate all of a company’s relevant information systems in terms of availability, integrity and/or confidentiality. The selection of the processes to be assessed is also at the discretion of the commissioning company but must be validated by the independent practitioner. Nonetheless, the ISAE and SOC® standards provide a degree of flexibility whereby a company can focus on those areas that are critical to its clients, investors and suppliers, as well as its statutory auditors. In particular, these auditors are required to consider the ISAE 3402 / SOC 1® report in accordance with ISA/ISA-CH 402 and ISA/ISA-CH 315 (Revised) in their work.  

The best of both worlds

We all know that apples should not be compared with oranges. But we’re going to do it here anyway, in order to obtain some clarity about the advantages and disadvantages of the two examinations (see table). 

Report Nature Attestation
(ISAE/SOC®)
Certification
(ISO 27001)
Report Assurance report with opinion from the independent auditor Certification with no opinion
Management statement
Includes a Management Statement related to the control environment
None
Deliverable Comprehensive assurance report including the description of control environment, the design and implementation of controls (type I report) and the operating effectiveness of controls (type II report)  One page certification stating that the management systems is in place
Reliance
Can be relied upon by customers and their statutory auditors as well as other stakeholders
Does not provide any audit comfort
Distribution Restricted to defined stakeholders (except for ISAE 3000 and SOC 3) No restriction
Level of acceptance Recognized and accepted by customers and their  statutory auditors as well as other stakeholders Depending on the audience  
Subcontractors Transparency over subcontractors utilized and the reliance on their controls Not disclosed
Involvement of internal audit or compliance function Possible and if work used by the independent auditor the fact is disclosed in the assurance report Not applicable
Coverage / validity

Point in time – Type I  

Period over time – Type II / Typically 1 year 

Certification audit in year 1 and surveillance audits in the years 2 as well as 3, point in time
Period under review Retrospective Forward-looking

ISAE/SOC® report and ISO 27001 certificate compared

An ISO certificate is easier and faster to obtain than an ISAE or SOC® assurance report. While the ISO standard is limited to how controls are structured on day X, ISAE and SOC® enable the operating effectiveness of controls to be tested over a period of time. The scope of an ISAE or SOC® assurance report is therefore much broader than that of an ISO certificate. In an assurance report, in addition to the usual sections such as the company’s own assessment, and an outline and detailed description of the control objectives, the practitioner’s independent conclusion or auditor’s independent opinion is presented. This is completely missing from an ISO certificate. Accordingly, the external statutory audit may be based on an assurance report, but not on a certificate. The certificate merely provides management with information about which information security controls are sufficiently well developed and which, if any, need to be optimised or completely revisited in a prospective view.

Operational reporting on the upswing

As the profile and attractiveness of ISAE and SOC® assurance engagements grow, they are becoming increasingly important for companies with an international focus – and Switzerland is no exception. They offer strategic and operational management an in-depth insight into in-house process maturity and provide valuable pointers for high-quality control and risk management as well as contribute to the resilience of an organisation. ISAE and SOC® assurance reports cover the diverse requirements of different stakeholders. This means a company can avoid doubling up on work to meet audit requests from different parties. These operational assurance reports are also an excellent way for a company to show to its board of directors, clients and business partners that it operates in a responsible manner, and to demonstrate its trustworthiness and resilience in comparison with competitors.

Contact us

Ralf Hofstetter

Ralf Hofstetter

Director for Sustainability Assurance, PwC Switzerland

Tel: +41 58 792 5625

Cristian  Manganiello

Cristian Manganiello

Partner for Risk and Compliance Management Services, PwC Switzerland

Tel: +41 58 792 56 68