Transforming the way organizations deal with the death of a customer.

Security


ISO/IEC 27001 and SAS 70: A Comparison

ISO/IEC 27001 and SAS 70 Comparison Chart. Click to enlarge.
At Forte, we view information security as a critical business asset. Given our work with many of the largest credit grantors in the world, the safety and integrity of our clients' data is Forte's highest priority.

To deliver on our commitment to provide clients with an unrivaled standard of information security, early in 2008, Forte received an ISO/IEC 27001 certification for our information security management system. By successfully attaining this certification, Forte joined the elite ranks of businesses that include the Federal Reserve Bank of New York and the World Bank. In fact, as of December 11, 2008, Forte Data Solutions is one of only 67 companies in the United States to have achieved this distinction, according to the International Register of ISMS Certificates.

Historically, firms in the financial services industry have used an assortment of standards, techniques and tools to obtain an independent evaluation of their security posture. One of the most common standards in place in the U.S. is the SAS 70, which is an auditing standard developed by the American Institute of Certified Professional Accountants.

The SAS 70 standard defines the required processes for auditing and reporting on management controls of service organizations in conjunction with a financial statement audit. Interestingly, the SAS 70 has also been used to audit and report on other controls such as information security and compliance that have little to do with the integrity of the financial reporting process.

While the SAS 70 is a flexible standard that has been adapted to a variety of other uses, it remains essentially a general purpose auditing standard focusing on how to conduct an audit and issue an opinion of any type of control.

In contrast, ISO/IEC 27001 is a management standard specific to the practice of managing information security. Its focus is on providing the required elements and processes for building, maintaining and continuously improving information security through an Information Security Management System (ISMS).

During an ISO/IEC 27001 certification audit, a registrar's auditor will evaluate an organization's ISMS based on the requirements of the ISO/IEC 27001 standard which cover a broad array of information security management concerns, including:
  • Repeatable and actionable risk management processes that result in appropriate control decisions
  • Effectiveness of controls to identify and pursue opportunities for ISMS improvement
  • Appropriateness of management commitment to the ISMS
  • Evidence of that commitment through policy and resource allocation to implement and operate select controls
  • Required consideration of 133 best practice controls (per Annex A of the standard) and justifications and authorizations for any exclusions
  • Internal audits, incident response, management reviews and follow through on action items stemming from these processes