SAS-70 is Dead, Long Live the King (ISO27001?)
Posted by John Verry on Fri, May 08, 2009 @ 01:52 PM
This posting is intended for my fellow auditors working in the Fortune 1000 world.
The Yankees are no longer winning the World Series every year, Bill Clinton lives in NY not Washington DC, and Y2K is a laughable memory, not a potential Armageddon. Its 2009, not 1999, so please, please, stop requesting SAS-70 reports from entities that process information on your behalf.
I will begrudgingly give the AICPA some credit for realizing in 1993 that the world needed a standard way to say "How do I know what you are doing due diligence to keep our data secure"?
However, they encumbered it with 2 basic flaws.
- It was a mechanism to document a control environment and its operation, not a standard for the operation of a secure environment. Sadly, too many of my fellow auditors took it as the latter, not the former, and just checked the box on their paperwork instead of "opining" on whether the documented environment was aligned with their information security requirements.
- The AICPA, in a very self serving manner, mandated that only a CPA (to be clear -- an accountant) could issue a SAS-70. Apologies to those whom I may offend, but with rare exception, the CPA's turned Information Systems auditors I have met are marginal information systems auditors (at best).
I believe ISO27001 (though not without a few flaws) is probably the best general purpose form of Information Security attestation available right now. NIST has some great stuff, especially if you work in the government space. If the data being processed on your behalf is "mono-compliant" you may be able to get away with the associated standard (e.g., HIPAA, PCI, PII).
Yes, that was "Guns and Roses" you just heard on the radio. However, it was a Classic Rock station, not a Top 40 station (which now plays Pink adnauseam), so please change your "due diligence" paperwork to reflect the year.