Comply SAS70 Auditing Requirements With ISO 27001 Framework

For purposes of speeding up development of service outsourcing industry and accelerating transition of foreign trade growth mode, the Ministry of Commerce of the People's Republic of China started"Thousand-Hundred-Ten"Project. The objective is to build 10 cites which have international competitiveness in the international service outsourcing, to drive 100 world-renowned multinational companies outsourcing services to its business to China, to foster 1000 international qualified large and medium-sized outsourcing service vendor.The organization must consider two issues when then outsource their businesses, resulting in a corresponding demand for two types of audit. (1) Quality Related Auditing: Do Outsourcing service providers have sufficient capacity to delivery the service according to the contract? (2) Information Security Management Auditing: Organization has to share /disclose sensitive commercial or legal information to service provider. Can the service providers protect the sensitive information effectively and efficiently?This paper focuses on the analysis of the implementation for the information security audit requirements. The major audit requirements is t present, the mainstream of information security audit is the ISO/IEC 27001 and the SAS 70 audit.(1) Before analysis the audit requirement of ISO/IEC 27001 and SAS 70, this paper introduces the relationship between information security, information security control and auditing. Information security is achieved by implementing a set of controls, and the information security audit is to assess the effectiveness of the controls implementation.(2) Both of ISO/IEC 27001 and SAS70 are information security related auditing requirements. The requirements are largely overlapped. ISO 2700 as a widely accepted international standard, concern in the establishment of the information security risk management framework. SAS 70 is required by United States government through SOX audit requirements. Mainly, SAS 70 focus at the financial statement related information.(3) This paper analyses how to achieve ISO 27001 and SAS70 audit requirements independently, and the problems issued by independent implementation for two similar requirements.(4) Then analyses how to comply sas70 auditing requirements with ISO/IEC 27001 framework.