The sox chapters, what do they cover? 185



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • Why not download the act, grab a copy of the standard, and then compare them? Or am I missing some subtlety? Possibly.
    Both documents are linked to from the front page of this forum. I do know plenty are using 17799 to support SOX, but can’t can’t comment accurately on the nuts and bolts of it.



  • The AICPA has a great summary here -



  • Isn’t 17799 a three year cert? The problem I see if that is the case is that SOX is an annual requirement. So the 17799 would give you cover during the first year, but not in years 2 and 3…of course, I could be wrong about the three year deal.
    Then the next issue is how much actual testing is done in the 17799? Type II SAS70’s generally entail a lot, and from what I’ve been hearing, if you had a YE 2003 SAS 70 from a vendor, your externals wouldn’t rely on it for this year’s SOX work.
    Thus, if the level of testing in the 17799 isn’t up to par with a SAS70, then it might not suffice at all.
    Best answer, of course, is to chat with your externals about this soon.
    Ben



  • good community

    videos de sexe gratuites [/url]



  • Isn’t 17799 a three year cert?
    It doesn’t quite work like that.
    Yes, sure, certification against 17799 (BS7799 actually) is renewable after 3 years. However, the standard itself imposes a ‘management system’.
    This is the moot point. The management system insures various actions and procedures. It is these that are applicable here. These will insure ongoing audit and so on, during the life of the certification.
    Apart from that, I think that the strength of using 17799 is that it is independent, recognized, and international, making it a good way of demonstrating due dliligence.



  • I think the issue in terms of SAS70 vs the ISO 17799 from an external auditor’s perspective is that with the SAS 70, you get an annual test from an independent party (ie, not internal audit, but an external party), whereas with the 17799, the independent testing only happens every three years.
    By way of example, my externals, and others, are essentially saying that a 12/31/03 SAS 70 doesn’t do a lot of good in terms of reliance for SOX, since the testing related to it didn’t happen in 04. I think you’d have the same issue x3 w/r/t the 17799
    Ben



  • The best place is to look at the FFIEC web page this is the gov. enity that tells how to comply. Also you ned to get the ISO 15408 std it also is a how-to document.
    Anyone know where i can find a description of what different areas the sox cover. Preferably a good detailed description but not a direct link to the act itself.
    If I have understood it correctly, for instance, the 404 section covers things similarly to ISO17799 (separation of duties, logging, least priviledge, user provisioning…etc.). But what about the other sections?
    And also, does anyone know, roughly, how much of the sox is covered by the ISO17799 controls?
    anyone have any good tip on where i can find information?


Log in to reply