Ask the Expert

How to migrate from SAS 70 to ISO 27001

What would it take to migrate to the ISO 27001 certification from SAS70?

    Requires Free Membership to View

That's an interesting question. These two are kind of like apples and oranges, since 27001 is really a framework that you implement and assess, while SAS70 (especially Type 2) assessments evaluate the effectiveness of controls.

Let's look at this from the perspective of the chicken or the egg. If you start with ISO 27001 and fully implement the framework -- a big job, indeed -- it is highly likely that you'd be in pretty good shape for a SAS70. There are differences in the requirements that go beyond the scope of this Q&A,, but for the most part -- especially relative to security controls -- 27001 should get you pretty close to SAS70.

But I'm not sure the converse is true. Since 27001 is fairly comprehensive (over 200 technology practices and procedures to the point of potential overkill), a SAS70 certification is a start, but would require a significant amount of additional work to get to 27001, especially relative to documentation. You'd basically need to start from the beginning, doing a gap analysis of your own environment relative to 27001. You should be able to use some of the documentation from your SAS70, but how much will depend on the specifics of your environment.

The last point I'll mention is that no certification is going to guarantee you security or peace of mind. In a perfect world, you can spend a year and a ton of money getting to a certain certification, but if you have neither the time nor the resources, you are best off instead figuring out which business systems are most important to your organization and moving decisively to protect them.

For more information:

This was first published in August 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: