SAS-70 Type II or ISO-27001:

Which certification is best for my organization?

Sarbanes-Oxley has increased the exposure associated with an outsourcing decision. The boards and executive management of organizations are turning to independent third party certifications as a means of reducing risk and exposure of outsourced vendors providing critical services. These service providers are a diverse group and can include research and development partners, payroll providers, banking partners, Information Technology providers, and accounting partners. With more of their customers focused on controls, many of these vendors are being faced with more and more requests for auditor visits. Facing increased disruption, organizations are seeking outside validation of their controls that would satisfy ALL of their customers. The SAS-70 Type II is clearly the favorite.

The Statement on Auditing Standards Number 70 (commonly known as SAS-70), developed by the American Institute of Certified Public Accountants (AICPA), describes a set of procedures for auditing a service organization. An organization can select to have an audit performed on the control design (Type I) or an audit of the operations of the controls over a period of time (Type II). The outside auditor will review the controls established by the organization and assess their effectiveness at achieving the established objectives.

With the growth of outsourced Information Technology services, many SAS-70 audits have been successfully been performed on IT service providers. Some organizations have begun to look for more comprehensive solutions. Although, the AICPA is an internationally recognized body, it does not hold the same weight internationally as the International Organization for Standardization (Organisation internationale de normalisation), widely known as ISO. This organization has not been idle; fine tuning a British quality standard to create the ISO-27000 series of standards.

The ISO-27000 series describes a set of activities and controls to create, implement, and manage a comprehensive Information Security Management System. The standard is divided into 11 sections addressing the critical components of functional management system. The areas addressed are:

·         Security policy

·         Organization of information security

o   internal organization

o   external parties

·         Asset management

o   responsibility

o   asset classification

·         Human resources security

o   prior to employment

o   termination or change of employment

·         Physical and environmental security

o   secure areas

o   equipment security

·         Communications and operations management

o   operational procedures and responsibilities

o   third party service delivery

o   system planning and acceptance

o   protections against malicious code

o   exchange of information

o   electronic commerce systems

·         Access control

o   business requirements

o   user access management

o   user responsibilities

o   operating system control

o   application and information access control

o   mobile computing and telecommuting

·         Information systems acquisition, development and maintenance

o   security requirements

o   correct processing

o   cryptographic controls

o   security of system files

o   security in development and support services

o   technical vulnerability management

·         Information security incident management;

o   reporting incidents and weaknesses

o   management of incidents and improvement opportunities

·         Business continuity management

o   information security aspects of business continuity management

·         Compliance

o   legal

o   compliance with security policies and standards, and technical compliance

o   Information systems audit considerations.

The ISO standard describes a set of standard control activities in each of the above areas. An organization needs to evaluate and select suitable control activities. To become certified an outside audit is performed by an ISO certified auditor. Because the standard is more comprehensive and inclusive, an organization typically will take a longer time to prepare and achieve certification. However, the benefits of including information security risks outside of financial reporting and wider international acceptance may be worth it for your organization.

 If you are being required by your customers to provide a SAS70, you may want to start incorporating the ISO information security objectives into your SAS70. Once you have successfully tested to ensure these objectives are being met, then the decision of becoming ISO certified becomes easier since it will mean less work and less cost.

If you are not being requested by your customers for a SAS70, but you do want to limit your exposure, you may want to consider the ISO standard, especially if you have international operations.

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals.