security

The following section compares the benefits of an ISO/IEC 27001 certification and a SAS 70 Type 2 Audit Opinion for an ISMS. The comparison was prepared with the assistance of Orange Parachute, a leader in the design and implementation of certifiable management systems to international standards and a partner to DCM Services in this area.

Criteria

SAS 70 Type 2 Audit

ISO/IEC 27001
Intended Use SAS 70 requirements are issued by the American Institute of Certified Professional Accountants. Its criteria are typically used to evaluate an internal control environment as part of a financial audit. While security controls may be covered in the scope, it will only occur if deemed important enough by management (see Objectivity)

SAS 70 is an audit standard used by auditors to evaluate an ISMS. 		ISO/IEC 27001 is an internationally recognized standard for establishing, operating, monitoring and improving an ISMS.

ISO/IEC 27001 is a management standard to be used by management to implement and evaluate a successful ISMS.
Objectivity and Standardization While CPAs have a well-deserved professional reputation of objectivity, they are bound by management's attestation of the controls that are material to the company's financial operations and are therefore required to test those controls. Thus, it is possible that a critical security control that has little or no bearing on the organization's financial statements may be excluded from the audit. When an organization pursues ISO/IEC 27001 certification, it must declare which of the 133 best practice controls apply to its organization and must justify any that do not.

The organization must also address any additional controls driven by business, regulatory, legal and other needs. This process ensures that all appropriate controls are identified and enables auditors to evaluate the organization's ability to meet these requirements.
Risk-based Approach While a SAS 70 requires management to list its controls to mitigate key risks, the list provided to the auditors need not be based on either a standard or a repeatable risk management process.

Management does not need to have a documented, authorized and repeatable risk assessment approach in conjunction with pre-defined criteria for risk acceptance. As such, auditors must rely on management's attestation of acceptable risk levels via the controls they present for audit.

The list of controls is prepared specifically for the audit process rather than as an output of the process of managing information risk. 		Central to an ISO/IEC 27001 certification is the risk management process which ensures the organization evaluates threats to assets and vulnerabilities in their defense. Once risks that exceed the organization's authorized risk tolerance level are identified, options for treating risks and selecting controls are evaluated. This process results in defensible, effective control choices.
Continuous Improvement Process A SAS 70 review is a snapshot of the controls that assure financial statement integrity. While there are requirements for controls to be in place and operational for a period of time, the notion of continuous process improvement is not within the scope of the audit. With a SAS 70 audit, an organization can be issued a "clean" opinion on a set of controls that have little or no bearing on its ability to continually monitor and improve its security management processes. During an ISO/IEC 27001 audit, the registrar's auditor requires demonstration of continuous process improvement. The standard requires the organization to follow the "plan-do-check-act" model that was first popularized by W. Edwards Deming in his teachings on total quality management. According to Deming, every process should be:
  • Planned
  • Implemented, operated and maintained
  • Monitored, measured, audited and reviewed
  • Improved
Continuous Audit of a Process The SAS 70 review is often required of a service provider organization if it provides services to a client organization. However, there is no certification or seal of approval that the audited organization either achieves or stands to lose after a successful audit.

While certain findings relative to security could call into question the organization's security processes, there is no baseline against which to judge the efficacy of the organization's repair of a problem. 		Inherent in the ISO/IEC 27001 certification is the concept of a continuous audit. After the initial audit and certification, surveillance audits are conducted for next two years. Successful completion of the surveillance audits is followed by a re-certification. An organization could lose its certification if major non-conformities are noted by auditors.

Since ISO auditors are trained to analyze the system or process of an organization's controls rather than an inventory of control objectives and controls, the audit process itself is a critical element in continually improving the ISMS.