There comes a point in the lifecycle of almost every SaaS company where a decision is made as to which information security framework to go with. ISO 27001 or SOC 2. There are plenty of articles on the internet comparing the intricate details and virtues of the two. But they always conclude with an unsatisfying: "it depends"!
At Upscaler we know your time is precious and for us there is no debate - ISO 27001 is the one that you should go with. There, we said it, now carry on with your day 🙂. Or, stick around for a little while longer and we'll explain why ISO 27001 is the better choice for a growing SaaS company.
ISO 27001 plays nicely with other standards
The ISO 27001 standard is based upon ISO's "Annex L". This defines the core requirements and characteristics of a generic management system. This is a very important point. Your company's management system extends beyond information security.
You may be reading this and wondering what exactly a "management system" is. A management system is all of the policies, procedures and records that your business needs to operate. Especially those that are necessary to maintain compliance. Most young SaaS companies don't really have a management system, or they have one 'of sorts', but haven't defined it yet.
Anything which is necessary for compliance and subject to review, approval, version control and communication forms part of your company's internal management system.
So, while the focus of ISO 27001 is on information security, the standard integrates very nicely with other ISO standards that are also based upon ISO's Annex L. These are standards that you may wish to introduce in the future, to further develop and improve your overall management system. They include ISO 9001 for quality management, ISO 22301 for business continuity and up to 50 other ISO standards.
We have already written about how ISO 27001 combined with ISO 9001 and ISO 22301 can be a game changer for a SaaS business. So we are not suggesting that you look beyond these standards for now. But the point is that it is possible. You have an 'upgrade path' within ISO that won't need reinventing the wheel when the time comes to step it up another level. You don't get this with the silo that is SOC 2.
ISO 27001 costs less
There is an unusual misconception out there that ISO 27001 costs more to implement than SOC 2. We have implemented both frameworks in many companies and can confirm that this is not the case. ISO 27001 is cheaper to implement and maintain than SOC 2, and by a reasonable margin.
For the purposes of exploring this comparison let's assume for a moment that a company implements both frameworks entirely on their own. They do so using internal resources, and without any external consultancy or solutions (such as Upscaler). This is not something that we recommend of course, and rarely ever happens, but let's pretend. Let's also assume that the risk profile of the organisation requires the same amount of work and controls in either framework.
With ISO 27001 the company can go straight for certification at this point. For a small SaaS company, with a couple dozen employees, the actual certification audit in year one can cost €6,000 (assuming a 3 day audit). ISO certification is also a competitive industry, particularly with remote auditing becoming commonplace. So you can easily shop around to get the best quote possible.
With SOC 2 on the other hand, you now have to find a licensed CPA (Certified Public Accountant) firm capable of conducting SOC 2 audits. There are few of them, particularly in Europe, and those that do it tend to be the larger professional services firms of the big 4 type.
Once you have found a firm, they then need to commence a process of getting to know you! Yes, that's right, the audit firm has to get to know your systems almost as well as you know them, because it is their job to write a very detailed audit report. Following the lengthy familiarisation / readiness engagement they then have to conduct the actual audit and prepare the audit report. We have never seen a SOC 2 audit quote for less than €20,000, and more often than not it's considerably higher.
In years 2 and 3 your ISO certification is maintained through surveillance (check-up) audits that take place every six months. These are shorter audits that cost about a third less in a year than the initial certification audit. In year 4 you need to undergo a complete recertification and the audit cycle starts again.
With SOC 2 you need a full audit each year to effectively renew the audit firms attestation. While this won't cost the same as your initial engagement with them in year 1, you are still talking at least €10,000 for the updated audit report.
To conclude, assuming all other things are equal, ISO 27001 costs less than SOC 2.
ISO 27001 is more widely accepted
It's generally accepted that SOC 2 is more popular in North America, and ISO 27001 is more popular in Europe. We'd take this a step further and say ISO 27001 is the default information security framework outside of the United States. The ISO (International Organization for Standardization) is an international organisation, headquartered in Geneva, and its standards are recognised and accepted globally. The AICPA (American Institute of CPAs) is the entity that governs SOC 2 and, while they do have an international membership, they are an American organisation with a local focus.
The advice we usually see given is the choice between the two depends on where your clients are. So, as the advice goes, if the majority of your clients are in the United States then go with SOC 2. If the majority of your clients are outside of the United States then go with ISO 27001. For SaaS companies, this advice doesn't work!
Nearly all SaaS companies will have a mix of both US and international clients, if not now, then it's almost certainly on the roadmap. What SaaS company doesn't want to go international at some point? Besides, the kind of companies that actually demand such certifications in the first place, are often operating internationally themselves anyway.
But here's the key point. Our team has worked in SaaS and compliance, globally, for many years. We have yet to come across a situation where a SaaS buyer asked for SOC 2, and rejected ISO 27001 when it was offered. Why would they? However, internationally - the opposite happens frequently. So even for US based SaaS companies, with a majority of their clients within the US, we would still recommend ISO 27001 over SOC 2.
ISO 27001 is more rigorous
The SOC 2 framework is comprised of five trust principles. These are security, availability, processing integrity, confidentiality and privacy. But you only have to implement the first one - security, to get a SOC 2 report. This does make SOC 2 more flexible and 'easier'. But it also leaves the door open to our natural tendency of wanting to do the bare minimum to tick that compliance box! We can all relate to this, but it is not necessarily a good thing.
ISO 27001 on the other hand ensures that the controls implemented are based upon a risk assessment of your organisation and your information security requirements. The result of the risk assessment is that the controls you implement will almost always touch on security, availability, processing integrity, confidentiality, and privacy.
Think about this for a moment. When it comes to information protection can you really be expected to address security without also addressing the integrity, confidentiality and privacy of your customer's data? Not to mention availability which is second only to security in your customer's priorities.
For this reason, ISO 27001 is the obvious choice if your company is looking to benefit from the process of implementing a robust information security framework, and not just ticking a box on an RFP.
ISO 27001 doesn't air your dirty laundry!
With ISO 27001 you become certified when you pass your audits. You are then issued with an audit report and a one-page certificate from the certification body. You can share this certificate with current and prospective customers - to prove that you are certified. Many companies even post the certificate directly on their website for the world to see. Usually inside a blog post celebrating the achievement.
With SOC 2 on the other hand, there is no one-page certificate. Instead, you are issued with an audit report only that runs to dozens of pages. In section three of this report, you'll find the description of your company's systems and controls. This is an extremely detailed section providing extensive information about the systems and processes that your company uses, and the controls that are in place to secure them. Furthermore, within a SOC 2 audit report the actual test criteria and test results are also documented. It's a wide open book into the internal workings and operations of the information systems of your business.
We find it somewhat ironic that an information security framework would allow this level of detail to be exposed to third parties. Of course, you are not expected to put your SOC 2 report on your website. Many companies would require an NDA before handing it over to their 'select' customers. But, once you send a PDF across the internet via email to one, two or several customers, you have lost control of that information entirely.
What's the concern you may ask? It's a tremendous level of detail for a would-be hacker or other bad actor to get their hands on. Equally, it's not the kind of information that you would want your competitors to have access to. No thanks.
For the record; we are not SOC 2 haters by any means. We have implemented SOC 2 in past companies and accept that it is a very good framework for information security. It's a lot better than some of the self-attestation frameworks out there (Cyber Essentials anyone? 🤔). But given the choice (which you always have) we would choose ISO 27001 over SOC 2 in a heartbeat and for the very good reasons outlined above.
Whatever you decide, don't fall into the trap of implementing both, as some might advise. Yes, once you have one, the other comes much easier than if you had to start from scratch. But why on earth would you want to burden your company with that added hassle and cost?
If you have any questions or would like to learn more about Upscaler don't hesitate to contact our team. We love to talk with SaaS companies and help them on their journey in any way that we can.