SOC2 vs. ISO 27001 vs. COBIT

It truly is a interesting time to be in Information Technology. Especially on the information security front. Although hacks and breaches consume the media, audit and controls run the IT hallways. This article contains a random sampling of notes acquired on this topic as leaders unpack what to measure and what not to measure.

“SOC2 audit is required to do business with us.” – Prospective Client

SOC2:  https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cpas.html

Not all auditors charge the same and, just like everything else, many times you get what you pay for. I’ve found quality and consulting come at a higher price, so selecting the right auditor is a key success point.

Found this article from Linford & Co, LLP CPA firm about SOC2 pricing:

Price estimates differ between firms as each will:

  • Estimate the effort / cost required to do the work
  • Have related overhead expenses allocated to the audit
  • Require a certain level of profit from the engagement

Typically, our SOC 1 audits start at $17,500 and our SOC 2 audits start at $19,500 for small, non-complex organizations. And, since everyone needs one, we include a readiness or gap assessment as part of every first time SOC audit. These are starting points and the price of a specific SOC audit may go up or down as we customize proposals to our clients’ specific needs.

“ISO 27001 certification is required to do business with us.” – Prospective Client

ISO 27001:  https://www.iso.org/isoiec-27001-information-security.html

Any idea how much an ISO 27001 certification costs?   Found this article from Pivot Point Security:

  • Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
  • Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
  • Certification Audit: $10,000
  • Total cost for ISO 27001 certificate: $48,000

Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:

  • Surveillance Audit: $7,500
  • Internal ISMS Audit: $7,000

“COBIT as an emphasis for IT governance, control, and risk management” – Prospective Customer

COBIT:  http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

\\ JMM