SOC 2, ISO 27001 or both?

5 pts.
Tags:
ISO
IT audit
Security
My company sells technology-based products and services to our clients. In 2006 we implemented a set of controls suitable to the services that we provide to our clients and have invited an independent audit firm to conduct SOC 1 type II examinations. In 2009 we implemented a QMS and have invited an independent audit firm to validate it against the ISO 9001 standard. In 2010 we implemented an ISMS and have invited an in independent audit firm to validate it against the ISO 27001 standard. Currently, an independent audit firm is suggesting that we consider moving away from a SOC 1 to a SOC 2. It appears that there is a significant overlap between our ISMS and the SOC 2 principles, and we believe that the controls in our SOC 1 will lose focus if we pursue a SOC 2. How can I explain any rationale (cost versus benefit) for our company to incur the costs of both SOC 2 and ISMS (ISO 27001) validations by independent audit firms. I need to make a convincing argument to move in that direction when none of our customers are demanding it - only the audit firm. Thanks.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Interesting situation. What are your customers and business partners asking for? I do see people pursuing multiple avenues but it may not be necessary. If I were management, I wouldn’t want to pay for (and deal with the hassles associated with) multiple audits if one would suffice.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: