Problem solve Get help with specific problems with your technologies, process and projects.

How do ISO 17799 and SAS 70 differ?

ISO 17799 and SAS 70 are two different policies that help organizations achieve compliance best practices. In this Q&A, Mike Rothman defines the policies and unveils the their differences.

Our organization is bidding on a contract that requires a SAS 70 audit. As a young company, we can't provide this. Under what circumstances is it possible to submit an ISO 17799 in lieu of the SAS 70 audit? Are the two largely equivalent?
Actually, SAS 70 and ISO 17799 are very different, so it's unlikely that the contract you are pursuing would accept a 17799 program instead of SAS 70. From a simple definitions standpoint, SAS 70 is a process for auditors to determine if a corporation has the proper control objectives and activities in place. There really isn't a firm definition of SAS 70, since each individual company sits down with its auditors at the beginning of the process and figures out the most appropriate set of controls to implement.

ISO 27002, which has superseded ISO 17799, is a set of best practices to be adopted by organizations in order to implement proper information security. You can be certified against the 27002 standard, as specified in ISO 27001, which would indicate adherence to the best practices.

There is one scenario where ISO 27002 could be used in lieu of a SAS 70, but it's a minor distinction. You could sit down with your auditor at the beginning of the SAS 70 audit and agree that ISO 27002 provides a proper set of control objectives for what you are trying to achieve. To be clear, this would not eliminate the requirement to provide a SAS 70 audit; it would just use the ISO standard as a control objective. You'd still have to spend the money on the SAS 70 audit.

Which brings up another, more important question: can your organization fulfill this contract without the resources to provide the SAS 70 audit? Requiring this kind of infrastructure can sometimes be a boilerplate request, but in reality it provides a filter for smaller organizations that wouldn't be able to execute the contract successfully.

For more information:

  • Richard Mackey explains how ISO 27002 can help to comply with PCI DSS and provide more structure to an overall compliance program.
  • In this expert answer, Mike Rothman discusses whether ISO 17799 should be involved in the risk assessment process.
  • This was last published in February 2008

    Dig Deeper on Security audit, compliance and standards

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.