
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > How to migrate from SAS 70 to ISO 27001

Ask The Security Expert: Questions & Answers

EMAIL THIS

How to migrate from SAS 70 to ISO 27001

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 12 June 2007
What would it take to migrate to the ISO 27001 certification from SAS70?

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, ISO 17799, Information Security Policies, Procedures and Guidelines, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing cheap security products and appliances to costly appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

ISO 17799

Tony Spinelli: Prioritize Information Security over Compliance

How to write a risk methodology that blends business, security needs

IT auditing applications and tools for ISO 27002 certification

Security survey finds increase in security standards adoption

Mix of Frameworks and GRC Satisfy Compliance Overlaps

GRC: Over-Hyped or Legit?

Is the Orange Book still relevant for assessing security controls?

How do ISO 17799 and SAS 70 differ?

How to apply ISO 27002 to PCI DSS compliance

Should ISO 17799 play a role in risk assessment?

Information Security Policies, Procedures and Guidelines

Essential guide: Pandemic planning for H1N1

Whitelists, SaaS modify traditional security, tackle flaws

Melissa Hathaway urges more cooperation, government attention to cybersecurity

Reuters: Obama ready to select cyber security czar

How a corporate Twitter policy can combat social network threats

Should enterprises be concerned with Twitter in the workplace?

Information security management hype: Debunking best practices

Data breach avoidance begins with security basics, panel says

Expert: Information security spending often restricts innovation

GAO report cites government weaknesses, data leakage

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

defense in depth (SearchSecurity.com)

non-disclosure agreement (SearchSecurity.com)

security policy (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

That's an interesting question. These two are kind of like apples and oranges, since 27001 is really a framework that you implement and assess, while SAS70 (especially Type 2) assessments evaluate the effectiveness of controls.

Let's look at this from the perspective of the chicken or the egg. If you start with ISO 27001 and fully implement the framework -- a big job, indeed -- it is highly likely that you'd be in pretty good shape for a SAS70. There are differences in the requirements that go beyond the scope of this Q&A,, but for the most part -- especially relative to security controls -- 27001 should get you pretty close to SAS70.

But I'm not sure the converse is true. Since 27001 is fairly comprehensive (over 200 technology practices and procedures to the point of potential overkill), a SAS70 certification is a start, but would require a significant amount of additional work to get to 27001, especially relative to documentation. You'd basically need to start from the beginning, doing a gap analysis of your own environment relative to 27001. You should be able to use some of the documentation from your SAS70, but how much will depend on the specifics of your environment.

The last point I'll mention is that no certification is going to guarantee you security or peace of mind. In a perfect world, you can spend a year and a ton of money getting to a certain certification, but if you have neither the time nor the resources, you are best off instead figuring out which business systems are most important to your organization and moving decisively to protect them.

For more information:

Learn how to develop an information security program using ISO 17799 and SABSA.

In this Compliance School tip, learn how ISO 17799 can help your organization with the risk assessment process.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy