ISO27001/BS7799 Certification vs. Sarbox Compliance 1584

  • Has there been any authoritative ruling on whether or not an ISO27001 certification is sufficient to comply with S404 of Sarbox?

  • Hi - I’m not absolutely certain the answer is ‘Yes’ but the ISO27001 standards are excellent and might satisfy SOX requirements. SOX 404 is about meeting best IT practices in safeguarding the companies financial systems and providing security as a whole for the company.
    I found a few of the following links in searching for relationships between the two standards. ISO27001 appears to be a very comprehensive and rigid standard to meet, which should help meet the SOX 404 requirements.
    Information Security Standards ISO27001
    In the United States, the regulatory and compliance requirements imposed by, for instance, the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Availability Act (HIPAA), the Californian Senate Bill 1386 and the Online Personal Protection Act as well, of course, as the Sarbanes-Oxley Act (SOX) and the Federal Information Security Management Act, are all best met through the development of an information security management system that is integrated, comprehensive and incorporates widely recognized best practice. This is precisely what ISO 27001 provides .

  • Hi,
    I have not read of any authoritative guidance from the PCAOB or the SEC that specifically states that ISO27001 can be substituted for the CobiT Framework.
    Please note that although the CobiT Framework is not REQUIRED as the schema for use in complying with SOX, but it has been widely accepted by the auditors as the de facto standard by its use.
    This means that ISO27001 may be used to substitute for the security standards and practices prescribed in CobiT. However, the auditor will need to understand ISO27001 and how the standards and information security practicies in it, link to the IT control objectives in CobiT.
    If the auditor is familiar with ISO27001 and achieves satisfaction that the standards in it are equivalent to those prescribed by CobiT or another acceptabtable IT Security Framework, adopting ISO27001 might not be an issue.
    In short, you might consider running the use of ISO27001 by the auditor before abandoning the use of CobiT.
    Good Luck,

  • I was unfamiliar with the ISO27001 international standard and in research found it to be a solid control mechanism.
    Still, Milan offers the best advice of all – check with your external and internal auditors to see if they will approve this as being acceptable for SOX 404 IT compliancy needs 🙂
    Good luck on this.

  • In short, the response to the earlier question is NO.

    1. Bear in mind that the reason we look at IT controls for SOx 404 is to SUPPORT the business process i.e. where we are relying on automated controls within applications then we need to evaluate the general controls around those applications.
    2. In looking at general controls there are a number of areas or domains that you need to consider - and information security is only one of them.
    3. International Standards serve a different purpose from a framework like COBIT, but these pruposes can be complementary.
      As Milan correctly states ISO27001 MIGHT be able to substitute for the security component - but would not help you with other parts.
      Another way of looking at it would be to suggest that ISO27001 certification would almost certainly require you to put in place the processes and controls that satisfy the security control objectives of COBIT - making compliance with that framework straightforward.

  • Thank you all for responding to my question, but asking my auditors is not exactly unbiased. There is money to be lost by US accounting firms if they admit that an ISO27001 certification is consistent with s404 compliance and a suitable substitute for a SAS70.
    I really need an authoritative source, like the SEC or PCAOB to say YES or NO and haven’t been able to get that.

  • Hi Lou – I think Denis hit the nail on the head in his reply … I also went to the SEC’s website and searched for ISO27001 where I got zero hits … I then entered COBIT and got 23 links returned.
    SEC Home - add ‘www’
    As some firms have to adhere to multiple standards, you may have to implement both COBIT and ISO27001? For example, we have to be compliant with SAS 70, ISO 9000, SOX, etc … I also understand the reluctance to ask the external Auditor firm on this, as someone commented in another thread that audit fees have doubled in recent years with the advent of SOX 😞
    One idea might be to contact the SEC or PCAOB directly. For example below is SEC Contact Information:
    U.S. Securities and Exchange Commission
    Office of the Chief Accountant
    100 F Street, NE
    Washington, DC 20549
    202-551-5300 Phone
    202-772-9252 Fax
    Again, good luck on this 🙂

  • Thanks Harry and everyone. I’ll keep on plugging away at the SEC and let all know what I find out.

  • Denis that was a real good reply. ISO27001 has some controls which match with COBIT. There is a good guidance document in ISACA for it which gives the control mapping but being complaint with ISO27001 (and the predecessor BS7799) is not sufficient for SOX compliance

  • An insightful presentation that compares COBIT andISO/IEC 17799 /BS 7799-2. governance/Is IT Governance Enough V3.pdf
    Be sure to insert www. in front of the link above.
    Please consult with the author of the presentation if used for commercial purposes.
    Hope this further helps.

  • Denis and Milan are right.
    Cobit control model includes more audit areas than just information security.
    Im fact, that’s just the tip of an iceberg.

    • Other areas to consider are: Operations, System Development Life Cycle, Change Management, etc.
      thanks Milan, I was looking for a link just like the one you’ve posted.

  • The clauses of ISO 27001 can directly be mapped to the SOX 404 requirements and effective implementation of security controls. … To conclude, both ISO 27001 and SOX 404 are spoken a lot in the audit world, but they are very different. ISO 27001 is a standard that can be used to comply with the SOX 404 law.
    iso 27001 lead auditor course

  • ISO 27001 Certification is one of the best certifications when to come to security. another name for ISO 27001 is the data security management system.
    ISO 27001 Certification in Malaysia
    ISO Certification in Malaysia

Log in to reply