866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Your Questions About ISO 27001 Answered Blog Feature
RYAN MACKIE

By: RYAN MACKIE

Print/Save as PDF

Your Questions About ISO 27001 Answered

ISO Certifications

An ISO 27001 certification can help your business stand out. It lets your customers and potential customers know you care about and will protect their information. It can also help you streamline internal processes.

But the certification brings with it its own set of unique questions. Here are answers to the most frequently asked questions about ISO 27001.

How much of a SOC 2 examination can be leveraged to give an organization a head start on becoming ISO 27001 certified?
There is a tremendous amount of overlap between the control set in the trust services principles in the SOC 2 and those within ISO 27001 Annex A—about 70 percent of the controls will be shared with both. If your organization has a successful SOC 2 examination and has those controls in place, then the majority of those controls will be shared within the ISO information security management system (ISMS) and can give an organization a great jump on preparing for the ISO 27001 initial certification review. However, there are not a lot of elements within SOC 2 that will support the requirements within the management system.

How can the 27001 certification compare to the SOC 2 examination?
Despite the commonality within the control sets, these two compliance efforts are very different. The SOC 2 examination is intended to show that an organization has the right controls in place to meet a generally accepted criteria set, in the case of a Type 1 SOC 2 examination, and how those controls are operating effectively, in the case of a Type 2 SOC 2 examination. The SOC 2 examination provides a robust report deliverable that includes a full narrative of the people, infrastructure, applications, processes, and data supporting the services within the scope.  The third party examination, performed by a CPA firm, demonstrates the organization’s control set as of a point in time or during a review period.  It is a historical report that is typically re-performed annually. 

ISO 27001 certification, however, is intended to show that an organization meets the requirements of an information security management system, specifically those within ISO 27001. Though a report is issued, the report is intended to be internal only.  The certificate, though, is evidenced that a third party certification body has validated that the organization has the people, processes, programs, and controls in place to identify, address, and remediate their information security risk, applicable to the scope, and that the necessary controls are monitored to ensure that they are operating effectively and continue to contain the organization’s information security risk.  

Having both the ISO 27001 certification and the SOC 2 examination is a great compliance duo.

What are competing ISO standards and how does ISO 27001 compare?
ISO is trying to design each of its management system standards with the same common clauses—scope, planning, resources, leadership, measurement and monitoring, and continuous improvement—because it understands an organization may have multiple management systems in place and the need for multiple ISO certifications.

If you have multiple management systems, they are designed with a common set of standards. That means you can perform one internal audit for both and also have the external audits performed at the same time to lessen the audit footprint and audit fatigue.

If I have a finding in my SOC 2 report, does that mean I will fail the ISO certification?
No. With ISO 27001, the effort is not pass or fail. It’s about the active management system, and there may be things within your system that are weaker than others, but those areas may just need some support or attention to be able to meet the requirements with the key being risk mitigation and corrective action. For example, should you have an exception in a SOC 2 report, if there’s a corrective action plan around the issue, including the identification of the root cause, containment of the issues, immediate correction, and a going-forward plan to ensure the issue is addressed, then that should demonstrate a healthy management system, which would not result in a failure of the ISO 27001 certification review.

Are there any open standards for ISMS someone can follow before switching to ISO 27001?
No. The 27001 standard is unique in regards to what an organization has to have in place to be able to meet. An organization can adopt elements of ISO 27001 without having to go through the certification process, and this adoption would only result in a stronger information security risk management posture and prepare the organization for an ISO 27001 certification review as part of the future plan.

From an external perspective, how can I rely on the 27001 certification when an organization can specify its own scope?
When an organization scopes their information security management system, it's critical to keep the end result (and the customer) in mind. Part of the scoping requirements in ISO 27001 include identifying the interested parties, which could include customers, and the requirements of those interested parties. A certification body is required to assess that scope and its conformance to Clause 4 in the ISO 27001 standard as fit for purpose. However, an organization does the ability to scope their management system as they want.

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.