My company sells technology-based products and services to our clients.
In 2006 we implemented a set of controls suitable to the services that we provide to our clients and have invited an independent audit firm to conduct SOC 1 type II examinations.
In 2009 we implemented a QMS and have invited an independent audit firm to validate it against the ISO 9001 standard.
In 2010 we implemented an ISMS and have invited an in independent audit firm to validate it against the ISO 27001 standard.
Currently, an independent audit firm is suggesting that we consider moving away from a SOC 1 to a SOC 2. It appears that there is a significant overlap between our ISMS and the SOC 2 principles, and we believe that the controls in our SOC 1 will lose focus if we pursue a SOC 2.
How can I explain any rationale (cost versus benefit) for our company to incur the costs of both SOC 2 and ISMS (ISO 27001) validations by independent audit firms.
I need to make a convincing argument to move in that direction when none of our customers are demanding it - only the audit firm.