EXPERT RESPONSE
That's an interesting question. These two are kind of like apples and oranges, since 27001 is really a framework that you implement and assess, while SAS70 (especially Type 2) assessments evaluate the effectiveness of controls.
Let's look at this from the perspective of the chicken or the egg. If you start with ISO 27001 and fully implement the framework -- a big job, indeed -- it is highly likely that you'd be in pretty good shape for a SAS70. There are differences in the requirements that go beyond the scope of this Q&A,, but for the most part -- especially relative to security controls -- 27001 should get you pretty close to SAS70.
But I'm not sure the converse is true. Since 27001 is fairly comprehensive (over 200 technology practices and procedures to the point of potential overkill), a SAS70 certification is a start, but would require a significant amount of additional work to get to 27001, especially relative to documentation. You'd basically need to start from the beginning, doing a gap analysis of your own environment relative to 27001. You should be able to use some of the documentation from your SAS70, but how much will depend on the specifics of your environment.
The last point I'll mention is that no certification is going to guarantee you security or peace of mind. In a perfect world, you can spend a year and a ton of money getting to a certain certification, but if you have neither the time nor the resources, you are best off instead figuring out which business systems are most important to your organization and moving decisively to protect them.
For more information:
Learn how to develop an information security program using ISO 17799 and SABSA.
In this Compliance School tip, learn how ISO 17799 can help your organization with the risk assessment process.
|
