The ISO 17799 domains are as follows:
The ISO 17799 outlines the components that should make up each and every security program implemented today. Since companies and organizations are different, the emphasis on specific components may vary from one security program to the next, but each security program should be made up of these core elements.
Meanwhile, SAS No. 70 is a type of IT audit that a company carries out on its suppliers, partners and companies to which it outsources business functions. The overall goal of the SAS 70 is for the company in question to have a level of assurance that the outside provider has implemented the necessary protective controls. If your company was strict, for example, in its security program, data classification procedures and financial book keeping, would you really want to work with a supplier that does not do one or any of these well? Since this outside company would have access to your company's sensitive data, it's important to make sure that it takes security and financial reporting as seriously as your company does. The main company can (and will) be held responsible for any errors or fraudulent activities carried out by its third-party providers.
SAS 70, or Statement on Auditing Standard No. 70, outlines how auditors should go about auditing different components of a company. Specifically, it deals with how to audit a third party that the company is depending upon. The auditor needs to be independent and can be a CPA or accredited auditor. He or she should follow the criteria outlined in SAS 70 and issue the primary company an opinion on the effectiveness of the third party's controls.
The third party, usually referred to as the service organization, will have its own control objectives that state the reasons for the safeguards in place and the level of protection and accuracy that their controls provide. The auditor reviews the control objectives, tests the controls and comes up with a written report that describes the controls in places and the types of tests that were carried out and given to the customer.
There are two types of SAS 70 audits, Type I and Type II. A Type I report is basically a snapshot in time. An auditor, in this case, remarks on a company's control processes throughout one specific day. A Type II audit usually takes more effort because it addresses the same concerns of a Type I audit, but during a longer time period, usually six months. The auditor then needs to do more investigation, looking at the reports that a service organization has on the controls and reviewing any test results that the third party carried out over this six month period.
SAS 70 should just provide a level of assurance; it does not promise a specific level of security or accuracy that will be provided by the service organization. This is one reason that assessments should be done annually and not just once. To summarize, ISO 17799 is a standard that guides the implementation of an organization's security program, and SAS 70 is an auditing procedure that companies use to investigate third-party organizations.
This was first published in January 2007