Expert Advice Community

Guest

Including SOC 2 controls in SoA

  Quote
Guest
Guest user Created:   Mar 05, 2021 Last commented:   Mar 05, 2021

Including SOC 2 controls in SoA

I hope you're doing well. I watched the ISO 27001 Lead Auditor Exam training videos and found them to be very useful! Thank you for offering this free training. I am leading the ISO 27001 internal audit efforts at my company for the first time this year and wanted to seek your guidance. Our company's ISMS is ISO 27001 certified and we also have a SOC 2 Type 1 certification.

1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?

2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.

0 1

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 05, 2021

1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?

In case the SOC2 controls are applied to elements included in the ISMS scope, then you need to include them in the Statement of Applicability, but please note that some of ISO 27001 Annex A controls can be used to fulfill the Trusted Service Criteria used by SOC2, so in these cases, you can refer directly to the related Annex A controls.

Also is important to note that, to include the SOC2 controls in the Statement of Applicability, you first need to review your risk assessment and risk treatment, and the applicable legal requirements, to ensure that you have the proper basis to include these controls in the SoA.

This article will provide you a further explanation about ISO 27001 and SOC 2:

2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.

Please note that added controls need to be audited in the next surveillance audit because their impact on the information security levels needs to be verified.

Considering your limited resources and time, an alternative could be to include first the controls that have the biggest impact on information security (i.e., they are the single or main controls applied to treat related risks) and leave other less impacting controls to be included in the next year. Additionally note that since some controls of Annex can be used for SOC2, this can reduce your need for resources and time.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Mar 05, 2021

Mar 05, 2021

Suggested Topics