ISO 27002, which has superseded ISO 17799, is a set of best practices to be adopted by organizations in order to implement proper information security. You can be certified against the 27002 standard, as specified in ISO 27001, which would indicate adherence to the best practices.
There is one scenario where ISO 27002 could be used in lieu of a SAS 70, but it's a minor distinction. You could sit down with your auditor at the beginning of the SAS 70 audit and agree that ISO 27002 provides a proper set of control objectives for what you are trying to achieve. To be clear, this would not eliminate the requirement to provide a SAS 70 audit; it would just use the ISO standard as a control objective. You'd still have to spend the money on the SAS 70 audit.
Which brings up another, more important question: can your organization fulfill this contract without the resources to provide the SAS 70 audit? Requiring this kind of infrastructure can sometimes be a boilerplate request, but in reality it provides a filter for smaller organizations that wouldn't be able to execute the contract successfully.
For more information:
This was first published in February 2008