EXPERT RESPONSE
Actually, SAS 70 and ISO 17799 are very different, so it's unlikely that the contract you are pursuing would accept a 17799 program instead of SAS 70. From a simple definitions standpoint, SAS 70 is a process for auditors to determine if a corporation has the proper control objectives and activities in place. There really isn't a firm definition of SAS 70, since each individual company sits down with its auditors at the beginning of the process and figures out the most appropriate set of controls to implement.
ISO 27002, which has superseded ISO 17799, is a set of best practices to be adopted by organizations in order to implement proper information security. You can be certified against the 27002 standard, as specified in ISO 27001, which would indicate adherence to the best practices.
There is one scenario where ISO 27002 could be used in lieu of a SAS 70, but it's a minor distinction. You could sit down with your auditor at the beginning of the SAS 70 audit and agree that ISO 27002 provides a proper set of control objectives for what you are trying to achieve. To be clear, this would not eliminate the requirement to provide a SAS 70 audit; it would just use the ISO standard as a control objective. You'd still have to spend the money on the SAS 70 audit.
Which brings up another, more important question: can your organization fulfill this contract without the resources to provide the SAS 70 audit? Requiring this kind of infrastructure can sometimes be a boilerplate request, but in reality it provides a filter for smaller organizations that wouldn't be able to execute the contract successfully.
For more information:
Richard Mackey explains how ISO 27002 can help to comply with PCI DSS and provide more structure to an overall compliance program.
In this expert answer, Mike Rothman discusses whether ISO 17799 should be involved in the risk assessment process.
|
