Choosing between SOC 2 and ISO 27001 compliance

Jotform Enterprise now offers a SOC 2 Type II compliant solution. This is great news for our Enterprise customers, who will be assured of the organizational controls Jotform has implemented to promote good IT governance and mitigate risks to information security. This post outlines why we chose to pursue SOC 2 Type II compliance and how it compares to another highly regarded standard: ISO 27001.

Service organizations such as Jotform must provide assurances that they can safeguard user information and appropriately mitigate risks to the security of that information. To achieve this, organizations implement a series of internal controls to protect information. However, establishing an internal set of controls does not guarantee that they are designed to work effectively. To ensure the efficacy of security controls and achieve SOC 2 Type II compliance, an accredited auditor must conduct an external review of these controls.

What does SOC 2 Type II compliance entail?

A SOC 2 Type II report is an attestation of compliance over a period of time with the Trust Services Criteria developed by a committee of the American Institute of Certified Public Accountants (AICPA). These criteria are divided into five categories: security, availability, processing integrity, confidentiality, and privacy.

A third-party auditor assesses and reports on the design and operating effectiveness of the service organization’s controls related to these criteria. Once the review is complete, the auditor issues a report summarizing the organization’s compliance with these controls, noting any exceptions. Mitigating controls may be necessary where appropriate.

SOC 2 is not the only approach to achieving and demonstrating a high level of information governance and security. There are alternative standards and frameworks, including ISO 27001 and the accompanying series of standards for information security management.

What does ISO 27001 compliance entail?

The International Organization for Standardization (ISO) is an international body responsible for developing and publishing standards for use in technology and manufacturing. The ISO 27001 framework provides standardization for security techniques in information technology. ISO 27001 establishes requirements for an Information Security Management System, including 114 controls contained within Annex A.

ISO 27001 certification is given following an audit that measures a service organization’s information security management system against the ISO framework. Certification provides customers with an assurance that controls are in place that meet the ISO standard, although the scope of assessment may vary. It is also possible to self-audit rather than certify.

Why did Jotform choose SOC 2 over ISO27001?

Service organizations that don’t already have a framework of information security controls may look to ISO 27001 as an internationally recognized framework to achieve this. ISO 27001 is focused on technical controls, while SOC 2 takes a more holistic approach, providing an assessment of broader corporate governance elements.

After comparing the ISO and SOC 2 Type II frameworks, we determined that the SOC 2 Type II audit process would provide a more thorough review of Jotform’s already strong security practices. The second and more important reason we opted for SOC 2 is that many of our valued Enterprise customers indicated that it was more relevant to their concerns and requirements. In fact, SOC 2 compliance was the most requested security report from our current and prospective Enterprise customers in North America and Europe.

We take our customers’ security and data management very seriously. By purchasing Jotform Enterprise, you can rest assured that your organization’s data will be handled with state-of-the-art security practices and monitored by security experts across the organization. To learn more about Jotform’s SOC 2 Type II compliant solution, contact your account representative or the Jotform Enterprise sales team.

AUTHOR
Ben Shepherd is Jotform's Compliance Lead, helping Jotform to meet high standards of information governance and compliance. Ben is based in Maldon, England where he lives with his family.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Podo Comment Be the first to comment.