To remove any doubt, I have included in this post the language that you will find in every ISO 27001 Certificate, and excerpts from a corresponding Certification Agreement. I have also included the language from the auditor's guidance (ISO 27006) that refers to the type of testing that is conducted during ISO assessments which amounts to a verification of "design effectiveness" rather than "operational effectiveness" which is the standard for SOC2 Type 2 engagements.
ISO 27006 ANNEX D - Guidance for review of implemented ISO/IEC 27001:2005 controls
SOC 2, Type 2 reports give assurance about operational effectiveness which requires a much higher level of testing. In the examples given above, a SOC auditor would be required to confirm, through representative sampling, that:
- the door had remained locked over the period of time selected by observing historical access logs.
- people signed confidentiality agreements consistently over the period of time selected
- independent re-performance of how the asset register was created, and verification that all assets were captured in the register
- system settings are adequate and have remained in place over the period of time selected