Problem solve Get help with specific problems with your technologies, process and projects.

How is ISO 17799 different from SAS 70?

In today's security world, it's hard to keep track of each and every management standard and auditing procedure. In this SearchSecurity.com Q&A, security management expert Shon Harris reveals the differences between ISO 17799 and SAS 70.

How does ISO 17799 differ from SAS 70?
ISO 17799, derived from the de facto British Standard 7799, is an internationally recognized information security management standard that provides high-level, conceptual recommendations on enterprise security. It consists of two parts. Part 1 contains guidelines on how to implement a comprehensive information security infrastructure. Part 2 is an auditing guide based on ISO 17799-compliance requirements.

The ISO 17799 domains are as follows:

  • Information security policies for the organization: Map security objectives, management's support, security goals and responsibilities.
  • Creation of information security infrastructure: Create and maintain an organizational security structure through the use of a security forum and security officer, defining security responsibilities, authorization processes, outsourcing and independent reviews.
  • Asset classification and control: Develop a security infrastructure to protect organizational assets through accountability and inventory, classification and handling procedures.
  • Personnel security: Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly and documenting the ramifications of not meeting expectations.
  • Physical and environmental security: Protect the organization's assets by properly choosing a facility location, maintaining a security perimeter, implementing access control and protecting equipment.
  • Communications and operations management: Carry out security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management and media handling.
  • Access control: Control access to assets based on business requirements, user management, authentication methods and monitoring.
  • System development and maintenance: Implement security in all phases of a system's lifetime through development of security requirements, cryptography, integrity and software development procedures.
  • Business continuity management: Counter disruptions of normal operations by using continuity planning and testing.
  • Compliance: Comply with regulatory, contractual and statutory requirements by using technical controls, system audits and legal awareness.
  • The ISO 17799 outlines the components that should make up each and every security program implemented today. Since companies and organizations are different, the emphasis on specific components may vary from one security program to the next, but each security program should be made up of these core elements.

    Meanwhile, SAS No. 70 is a type of IT audit that a company carries out on its suppliers, partners and companies to which it outsources business functions. The overall goal of the SAS 70 is for the company in question to have a level of assurance that the outside provider has implemented the necessary protective controls. If your company was strict, for example, in its security program, data classification procedures and financial book keeping, would you really want to work with a supplier that does not do one or any of these well? Since this outside company would have access to your company's sensitive data, it's important to make sure that it takes security and financial reporting as seriously as your company does. The main company can (and will) be held responsible for any errors or fraudulent activities carried out by its third-party providers.

    SAS 70, or Statement on Auditing Standard No. 70, outlines how auditors should go about auditing different components of a company. Specifically, it deals with how to audit a third party that the company is depending upon. The auditor needs to be independent and can be a CPA or accredited auditor. He or she should follow the criteria outlined in SAS 70 and issue the primary company an opinion on the effectiveness of the third party's controls.

    The third party, usually referred to as the service organization, will have its own control objectives that state the reasons for the safeguards in place and the level of protection and accuracy that their controls provide. The auditor reviews the control objectives, tests the controls and comes up with a written report that describes the controls in places and the types of tests that were carried out and given to the customer.

    There are two types of SAS 70 audits, Type I and Type II. A Type I report is basically a snapshot in time. An auditor, in this case, remarks on a company's control processes throughout one specific day. A Type II audit usually takes more effort because it addresses the same concerns of a Type I audit, but during a longer time period, usually six months. The auditor then needs to do more investigation, looking at the reports that a service organization has on the controls and reviewing any test results that the third party carried out over this six month period.

    SAS 70 should just provide a level of assurance; it does not promise a specific level of security or accuracy that will be provided by the service organization. This is one reason that assessments should be done annually and not just once. To summarize, ISO 17799 is a standard that guides the implementation of an organization's security program, and SAS 70 is an auditing procedure that companies use to investigate third-party organizations.

    More information:

  • Use ISO 17799 to develop an information security program.
  • Learn the pros and cons of outsourcing security awareness training.
  • This was last published in January 2007

    Dig Deeper on Security audit, compliance and standards

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.