Home page logo

basics logo Security Basics mailing list archives

Re: SAS70
From: John Blackley <jblackley () sysmatrix net>
Date: 19 May 2005 14:36:50 -0000

In-Reply-To: <20050518044305.475.qmail () mail securityfocus com>


I understand your uneasiness about "being able to choose what you are audited on" - I found that hard to digest in my 
first SAS 70 review (several centuries ago). Be aware though, that people with whom your company does business may ask 
to see a copy of your SAS 70 review findings and the control objectives that you choose may or may not impress them. 
Further, a good auditor ought to comment if the control objectives are so limited as to be meaningless.

I don't know how familiar you are with ISO 17799 certification or if this helps: Most companies would find it 
impossible to be in compliance with every detail of ISO 17799 (as it is an exceedingly broad code of practice). So 
companies often aim to be tested for compliance with specified sections of ISO 17799. SAS 70 examinations are like that 
- you get to demonstrate that you meet a specific set of control objectives which, because of the diversity of 
companies and industries, must necessarily be flexible.

Let me know if I can be of any help in getting you through this.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]