SOX Compliance and BS7799 Part 2: 2002 150



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • I would say the is answer is certainly yes.
    Legislation like SOX is heavy on the requirement to show due diligence. This, after all, is why it was created.
    Complying with, or even being certified with, an international standard like ISO 17799 (cert BS7799) clearly demonstrates that due diligence. In fact it does so extremely visibly.
    I note as well that there is a link to the standard on the left hand panel of this screen.



  • The focus of ISO 17799 is protection of information assets and its control objectives are related to the confidentiality, availability and integrity of information. Without a sound information security infrastructure any ‘raw material’ used in financial controls will be suspect. Further how sound (or unsound) information is then applied to control the business is at the heart of SOX and much wider than the scope of an ISO 17799 information security management system. :?



  • Hi,
    BS7799 cover the area of IT General Controls, but you should pay attention on Applications Control



  • Is there some sort of a matrix that shows BS7799 controls on one side and corresponding SOX sections on the other for comparison purposes?



  • Does anyone know whether it is sufficient to be certified according to the BS7799 Part 2: 2002 for the SOX Compliance?

    No.
    BS7799 only deals with one part of the scope of SOX - namely General Computer Controls, SOX is concerned with control over financial statements which is wider than, but underpinned by, General Computer Controls (GCC).
    The de facto standard for GCC (for SOX) is CobIT as issued by ISACA. They have various papers on their website that map other control frameworks to CobIT.



  • By way of background, my work has been with evaluating security programs to determine compliance with regulations like HIPAA, GLB and Sarbanes. Section 404, which is the most pertinent part of the regulation that ‘requires’ security controls is being interpreted in a number of ways -based on the intent of the assesor, auditor or reviewer.
    So let me answer the question in a few different ways.
    If you are executing a risk analysis effort on the part of your company in order to create a unified approach to meet all of your organization’s security and privacy requirements and you are wondering if the activity that you are undertaking in being an ISO 17799 organization is allowing you to meet the intent of the Sarbanes Oxley security requirements - then the answer is yes.
    If you are wondering if the work that you have done in being an ISO 17799 organization will meet the requirements for the IT portion of the formal Sarbanes Oxely audit then the answer is no or very likely no since it depends on your auditor.
    As one of the other commenters mentioned the focuse is heavily on the creation, management and distribution of fiancial information which is stored in your core enterprise applications. Your auditors will want to know not just what your controls are, but do they ensure segregation of duties in maintaining the security and intergrity of financia data – and oh by the way do you audit or monitor those applications to ensure your controls work.
    If you believe that your ISO security program provides demonstrable proof of everything that in mentioned in the above paragraph then you will be in good shape.
    I think you should take alook at ISACA’s CoBIT based interpretation of the Sarbanes requirements. At a strategic level this is a great means to ensure the work that you do on behalf of ISO and Sarbanes is as closely aligned as possible.
    Best of luck.



  • Well put. Good first post newbie 😉



  • Nothing left to comment on. Perfectly right.


Log in to reply