mailing list archives
From: John Blackley <jblackley () sysmatrix net>
Date: 19 May 2005 14:36:50 -0000
In-Reply-To: <20050518044305.475.qmail () mail securityfocus com>
I understand your uneasiness about "being able to choose what you are audited on" - I found that hard to digest in my
first SAS 70 review (several centuries ago). Be aware though, that people with whom your company does business may ask
to see a copy of your SAS 70 review findings and the control objectives that you choose may or may not impress them.
Further, a good auditor ought to comment if the control objectives are so limited as to be meaningless.
I don't know how familiar you are with ISO 17799 certification or if this helps: Most companies would find it
impossible to be in compliance with every detail of ISO 17799 (as it is an exceedingly broad code of practice). So
companies often aim to be tested for compliance with specified sections of ISO 17799. SAS 70 examinations are like that
- you get to demonstrate that you meet a specific set of control objectives which, because of the diversity of
companies and industries, must necessarily be flexible.
Let me know if I can be of any help in getting you through this.
- SAS70 Steve Fletcher (May 16)