![]() ![]() ISO 27001 is an ISMS standard, but it is not a law. Any shortcomings in these security controls should also be reported in the disclosures. One of those sections is SOX 404 that is responsible for making sure that the internal controls for a financial system are adequate, assessed and attested by the management. The SOX compliance asks all the publicly traded companies in the US to disclose the financial reports on a periodic basis and hold the C-suite executives accountable if the financial statements are incorrect. In the wake of multiple accounting scandals (Enron, Worldcom), the US government passed an act in 2002 that sets the requirements for improving the accuracy and reliability of financial disclosures of organizations trading on the U.S. So, what is SOX and how is it different from SOX 404?įirst and foremost, SOX 404 is a part of the SOX compliance. Therefore, for companies selling their services to a third-party will prefer some attestation in the form of a certificate from the external auditors. ISO 27001 is easy to understand whereas NIST is dense and will require more resources.Īlso, companies can also be audited against the ISO 27001 standard and get certified on the implementation of the standard, whereas this can’t be done for NIST. Then why should I use (read buy) ISO 27001 and not freely available NIST?įor many companies which are based in the UK – ISO 27001 is the preferred standard whereas for the companies which are based in the US – NIST is preferred. No, there are many other standards like NIST that can be taken as a baseline to secure the assets. Is it mandatory to refer to ISO 27001 standard? So for instance, if I am starting a new company tomorrow and would like to secure the assets of the company, how would I know what security measures I need to take. ISO 27001 is an international standard for ensuring that the assets in an Information Security Management System (ISMS) have a minimum set of acceptable controls. ![]() In this post, I will distinguish the key differences between ISO 27001 standard and SOX 404.īut as always, let’s start with what these terms mean and why are they so important for the industry. The members of the group had some experience in the IT Audit, I realized a common theme in their misunderstanding of ISO 27001 and SOX 404 as they used both the terms interchangeably. ![]() I recently met with a group who wanted to get started in the IT Audit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |