"Kindness is the golden chain by which society is bound together."
- Goethe
The following illustration outlines the differences between the SAS 70 auditing standard and the ISO/IEC 27001 management standard:

ISO/IEC 27001 and SAS 70: A Comparison

Historically, firms in the financial services industry have used an assortment of standards, techniques and tools to obtain an independent evaluation of their security posture. One of the most common standards in place in the U.S. is the SAS 70, which is an auditing standard developed by the American Institute of Certified Professional Accountants.

The SAS 70 standard defines the required processes for auditing and reporting on management controls of service organizations in conjunction with a financial statement audit. Interestingly, the SAS 70 has also been used to audit and report on other controls such as information security and compliance that have little to do with the integrity of the financial reporting process.

While the SAS 70 is a flexible standard that has been adapted to a variety of other uses, it remains essentially a general purpose auditing standard focusing on how to conduct an audit and issue an opinion of any type of control.

In contrast, ISO/IEC 27001 is a management standard specific to the practice of managing information security. Its focus is on providing the required elements and processes for building, maintaining and continuously improving information security through an Information Security Management System (ISMS).

During an ISO/IEC 27001 certification audit, a registrar's auditor will evaluate an organization's ISMS based on the requirements of the ISO/IEC 27001 standard which cover a broad array of information security management concerns, including:
  • Repeatable and actionable risk management processes that result in appropriate control decisions
  • Effectiveness of controls to identify and pursue opportunities for ISMS improvement
  • Appropriateness of management commitment to the ISMS
  • Evidence of that commitment through policy and resource allocation to implement and operate select controls
  • Required consideration of 133 best practice controls (per Annex A of the standard) and justifications and authorizations for any exclusions
  • Internal audits, incident response, management reviews and follow through on action items stemming from these processes