ISO 27001 and SAS 70 – A Comparison of Methodologies and Approaches
by contributing authors of Orange Parachute
Organizations today are faced with many challenges. One of the more difficult questions is how to provide assurance of Information Security, Information Technology, and control environments to third parties. These third parties may be clients, business partners, regulatory bodies, or others. For many years, the SAS 70 Service Auditors Report has been used to meet this requirement. This whitepaper provides an alternate perspective on third party assurance, by comparing and contrasting the SAS 70 process with that of creating an Information Security Management System (ISMS) based upon ISO 27001.
Request ISO 27001/SAS 70 Whitepaper
Understanding Information Risk Management
by Nick Halvorson, Senior Consultant, Orange Parachute
Business is all about risk and the management of any enterprise is in some manner enterprise risk management. Traditionally the term risk management has been focused on financial and fiduciary business risk. The increased importance of information confidentiality, integrity, and availability in managing an enterprise has caused the recognition that information risk is equally concerning to the health and wellbeing of an enterprise and should be managed accordingly.
Request Information Risk Management Whitepaper
Understanding Information Security Management Systems (ISMS)
by Tom Carlson, Principal Consultant, Orange Parachute
Organizations have long been practicing information security but not effectively managing information security. Assuming that security guidance is being given, and security activities performed, organizations have some form of an Information Security Management System already in place, although perhaps immature and incohesive. The ISMS process brings Quality Management concepts to the discipline of information security with numerous benefits.
Understanding ISO 27001
by Tom Carlson, Principal Consultant, Orange Parachute
The information security field has traditionally been based on sound "best practices" and "guidelines". While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations, not always consistent or harmonious. Furthermore, without the risk justification required by ISO 27001, "best practice" is in reality "best guess" devoid of the underlying analysis that makes control implementation both justifiable and defensible. ISO 27001 offers multiple benefits to an organization if applied correctly.
Understanding ISO 27002
by Tom Carlson, Principal Consultant, Orange Parachute
As a standard that is primarily conceptual, ISO 27002 is NOT:
- A technical standard
- Product or technology driven
- An equipment evaluation methodology
ISO 27002 is a comprehensive minimum baseline of information security controls that all Information Security Programs SHOULD address in some manner. This paper provides detail on the ISO 27002 standard and discusses the benefits of ISO 27002 and a comparison to the ISO 27001 standard.
1 800 841 9329
info@orangeparachute.com