cyBARR Chats: Episode 22, How to Achieve an ISO 27001 Certification and a SOC 2 Report with BARR

Transcript:

[00:00:00] Kyle Cohlmia: Welcome to today’s cyBARR Chat. My name is Kyle Cohlmia, and I’m the associate content writer at BARR Advisory. Today we’re joined by Cameron Kline, who is our director of attest services. Something that sets BARR apart is that we have a unified team of auditors who are able to perform audits against two of the highest-regarded standards in cybersecurity.

That’s ISO 27001 and SOC 2. Cam is here to provide us with specific details on the difference between the two frameworks, why you might need both, and how BARR accelerates our audit process for achieving both an ISO 27001 certification and a SOC 2 report at the same time.

Let’s begin. Thank you so much Cam for being with us today. As someone who works closely with our clients, you know that it’s a common challenge for the amount of time that they spend on audits. Can you talk a little bit more about BARR’s eligibility to perform audits for both ISO 27001 certification and a SOC 2 report, which ultimately saves them time and resources?

[00:01:06] Cameron Kline: Yeah, of course. Thanks, Kyle. So in 2021 through the ANSI National Accreditation Board, or the ANAB, and the American Institute of Certified Public Accountants, or the AICPA, BARR became one of only a handful of firms in the U.S. eligible to issue both ISO 27001 certificates as well as SOC 2 reports. BARR Certifications is the certification body for BARR Advisory, and together we can help organizations achieve both an ISO 27001 certification and a SOC 2 report.

While we leverage our resources across both audits, BARR Certifications issues the ISO 27001 certifications, while BARR Advisory issues the SOC 2 reports.

[00:01:50] Kyle Cohlmia: Gotcha. Thank you so much. I also know many organizations can benefit from adhering to both the ISO 27001 and SOC 2 standards. Can you talk a little bit more about the difference between the two frameworks and why organizations might need both?

[00:02:06] Cameron Kline: Yeah, absolutely. Both ISO 27001 and SOC 2 provide organizations with a strategic framework to implement and measure security controls. ISO 27001 is a set of standards and requirements for an information security management system, or an ISMS, and as an internationally accepted standard, it’s an excellent choice for organizations that serve clients abroad.

SOC 2 uses the U.S.-based AICPA trust service criteria to meet the needs of a broad range of users that require detailed assurance of the controls of the service organizations. While the two frameworks cover similar topics, one big difference between ISO 27001 and SOC 2 is that specific standards can be certified under the ISO 27001 series.

SOC 2 audits result in an attestation report rather than a certification. Having an ISO 27001 certification and a SOC 2 report under your belt increases customer trust, and you’ll stand out as an organization that takes security seriously while instilling the most confidence in your clients.

Clients who’ve completed an ISO 27001 certification and a SOC 2 report with BARR not only adhere to two of the highest regarded cybersecurity frameworks, but they’ve indicated results like improved compliance processes, simplified evidence collection, decreased time spent on the audits, and gaining a true partnership.

[00:03:28] Kyle Cohlmia: Awesome. So lots of good benefits you just mentioned. So now that we understand the difference between the two standards, let’s talk about BARR’s process.

What do typical audits look like for clients who want to adhere to both ISO 27001 and a SOC 2 report?

[00:03:45] Cameron Kline: Yeah, definitely. Certification to ISO 27001 consists of two stages that include walkthroughs, nonconformity reviews, and a remediation plan. The first stage involves walkthroughs of ISO clauses four through 10, while the second stage looks at Annex A controls. And a little more detail about Stage 1, I really think about this as a true readiness assessment. So typically, it’s usually only one day that you’ll spend with the auditor going through the required documents. And then from there, we’ll make the decision to move to Stage 2 to remediate some Stage 1 items. Following preparation of the Stage 2 ISO audit, Stage 1 generally takes two to three days.

After Stage 1 is completed, Stage 2 can generally be completed, for most organizations, depending on their size, within one to two weeks.

BARR will then issue an internal report and public-facing certification suitable for three years with surveillance audits. The duration of SOC 2 reporting depends on the type of report. If your organization has previously documented controls through an automation partner, a Type 1 report may be performed immediately.

Type 1 reports offer a point-in-time, testing your design as of a specific date. Type 2 reports are generally audited throughout a three to 12 month period.

[00:04:59] Kyle Cohlmia: Great. Thank you so much, Cam. I’ve heard that with BARR, a combined ISO 27001 and SOC 2 audit can feel more like one and a half audits.

Is this true?

[00:05:11] Cameron Kline: Yeah, definitely feels like that. We’ve definitely had a lot of comments related to that from our partners that have both completed SOC 2 and ISO certifications with us. BARR auditors serve as a unifying team to accelerate the engagement process for organizations seeking an ISO 27001 certification and a SOC 2 report.

While certifying toward ISO 27001 does take a certain amount of initial planning and time with your auditor, its flexibility means most ISO 27001 requirements will map over seamlessly to your SOC 2 reports. This means your SOC 2 auditors, who are also certified lead auditors with BARR, will leverage our resources to map SOC 2 control requirements. During your ISO 27001 meetings, you’ll bypass some of the additional walkthroughs to obtain a SOC 2 Type 2 report simultaneously saving you many hours to achieve two of the highest levels of security.

[00:06:04] Kyle Cohlmia: Wow, that’s really amazing. I know that our client Codat recently completed both a combined ISO 27001 and SOC 2 audit. Can you describe what their experience was like?

[00:06:16] Cameron Kline: Yeah, of course. Codat said that through their search for an auditor, BARR stood out, among other firms, as genuinely friendly and easy to work with.

We were able to give Codat the compliance they needed in less time. After completing their ISO 27001 certification and SOC 2 report with BARR, Codat also mentioned they were able to increase customer trust and quickly build upon their growing U.S. customer base.

They’ll be working with us in the future on all of their cybersecurity goals and needs.

[00:06:43] Kyle Cohlmia: Great. That is truly amazing. And then my final question, is there anything else you’d like to add to inform organizations who are interested in ISO 27001 certification and a SOC 2 report simultaneously?

[00:06:56] Cameron Kline: Yeah, absolutely.

The last thing I would say is when choosing the right framework, or both, you’ll want to consider available resources, organization complexity, location, and how much time you have to go through the audit process. While BARR does everything we can to simplify the process, there is a certain amount of time and resources needed to be done by organizations ahead of time.

Again, having both an ISO 27001 certification and SOC 2 report can ensure compliance with many different types of customers, both nationally and abroad, and really differentiates organizations from the rest as one who takes security and compliance seriously.

[00:07:32] Kyle Cohlmia: Great. Thanks Cam. So being able to audit against both standards is such a great resource that BARR offers. Thank you so much for sharing your insights on these benefits and BARR’s proven process when auditing against both ISO 27001 and SOC 2. I know many organizations will find this helpful that we can help them save time and resources so they can just focus on what they do best at work.

As always, we appreciate you joining us on cyBARR Chats and keeping us up to date on the latest cybersecurity resources. Thanks everyone. We look forward to seeing you next time.

Thanks everyone.