Security Basics mailing list archives

Re: SAS70

From: John Blackley <jblackley () sysmatrix net>
Date: 19 May 2005 14:36:50 -0000

In-Reply-To: <20050518044305.475.qmail () mail securityfocus com>

Steve,

I understand your uneasiness about "being able to choose what you are audited on" - I found that hard to digest in my 
first SAS 70 review (several centuries ago). Be aware though, that people with whom your company does business may ask 
to see a copy of your SAS 70 review findings and the control objectives that you choose may or may not impress them. 
Further, a good auditor ought to comment if the control objectives are so limited as to be meaningless.

I don't know how familiar you are with ISO 17799 certification or if this helps: Most companies would find it 
impossible to be in compliance with every detail of ISO 17799 (as it is an exceedingly broad code of practice). So 
companies often aim to be tested for compliance with specified sections of ISO 17799. SAS 70 examinations are like that 
- you get to demonstrate that you meet a specific set of control objectives which, because of the diversity of 
companies and industries, must necessarily be flexible.

Let me know if I can be of any help in getting you through this.

John

Current thread:

SAS70 Steve Fletcher (May 16)
- Re: SAS70 routerg (May 18)
- <Possible follow-ups>
- Re: SAS70 H Carvey (May 17)
  - Re: SAS70 Diego Kellner (May 18)
  - RE: SAS70 Steve Fletcher (May 23)
- Re: SAS70 John Blackley (May 18)
- RE: SAS70 Robinson, Sonja (May 18)
- RE: SAS70 Steve Fletcher (May 18)
- RE: SAS70 Rosado, Rafael (Rafael) (May 19)
- Re: SAS70 John Blackley (May 19)
- RE: SAS70 Steve Fletcher (May 23)