How do ISO 17799 and SAS 70 differ?

BROWSE BY TAG Expert Archive: Security Management,   Security Audit, Compliance and Standards,   ISO 17799,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Expert Archive: Security Management What is the GISP certification and how does it compare to the CISSP certification? Using a QSA to write up a PCI DSS report on compliance (ROC) How can gap analysis be applied to the security SDLC? Comparing cheap security products and appliances to costly appliances What are some tips on protecting my security budget in a poor economy? What value do research firms provide to their subscribing enterprises? What certificate offers the best ROI for an IT project manager? Is insider activity or outsider activity a bigger enterprise threat? How does information security prevent fraud in the enterprise? Differences between an SAS 70 data center and a Tier III data center ISO 17799 Tony Spinelli: Prioritize Information Security over Compliance How to write a risk methodology that blends business, security needs IT auditing applications and tools for ISO 27002 certification Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? How to apply ISO 27002 to PCI DSS compliance How to migrate from SAS 70 to ISO 27001 Should ISO 17799 play a role in risk assessment?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Actually, SAS 70 and ISO 17799 are very different, so it's unlikely that the contract you are pursuing would accept a 17799 program instead of SAS 70. From a simple definitions standpoint, SAS 70 is a process for auditors to determine if a corporation has the proper control objectives and activities in place. There really isn't a firm definition of SAS 70, since each individual company sits down with its auditors at the beginning of the process and figures out the most appropriate set of controls to implement.

ISO 27002, which has superseded ISO 17799, is a set of best practices to be adopted by organizations in order to implement proper information security. You can be certified against the 27002 standard, as specified in ISO 27001, which would indicate adherence to the best practices.

There is one scenario where ISO 27002 could be used in lieu of a SAS 70, but it's a minor distinction. You could sit down with your auditor at the beginning of the SAS 70 audit and agree that ISO 27002 provides a proper set of control objectives for what you are trying to achieve. To be clear, this would not eliminate the requirement to provide a SAS 70 audit; it would just use the ISO standard as a control objective. You'd still have to spend the money on the SAS 70 audit.

Which brings up another, more important question: can your organization fulfill this contract without the resources to provide the SAS 70 audit? Requiring this kind of infrastructure can sometimes be a boilerplate request, but in reality it provides a filter for smaller organizations that wouldn't be able to execute the contract successfully.

For more information: