WeÃ¢â¬â¢re delighted to announce that our data center has successfully completed its ISO/IEC 27001:2005 security certification.
ISO 27001 is an ISMS (Information Security Management System) standard by ISO and IEC from 2005 for managing information security.
ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS). It specifies requirements for the management of the implementation of security controls.
ItÃ¢â¬â¢s an international security standard not limited to just North America.
How does it compare to SAS 70?
SAS 70 is a statement on auditing standards by AICPA (American Institute of Certified Public Accountants) from 1993, where an independent auditor is to evaluate service providers controls and generate a report based on the evaluation.
Judith Sherinsky, a technical manager on the audit and test standards team at the AICPA writes about SAS 70:
Ã¢â¬ÅIt isnÃ¢â¬â¢t a measure of security, itÃ¢â¬â¢s a measure of financial controls.Ã¢â¬
A SAS 70 audit does not rate a companyÃ¢â¬â¢s security controls against a particular set of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70 audit report may contain many items that are not at all related to information security.
The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systems are secure.
Key difference:Ã ISO/IEC 27001:2005 guarantees that a provider has been audited on established security guidelines and requirements unlike the SAS 70 that leaves it up to the provider to choose suitable things to audit on.