Options
Sarbanes-Oxley Compliance?
jdredd
Member Posts: 33 ■■□□□□□□□□
Does anyone know what qualifies as compliance with Sarbanes-Oxley?
Like if you are a CISA via Isaca and use COBIT on your organization does that qualify as complying with the act?
If your organization is ISO 17799 compliant does that qualify for SOX? I know you can map ISO 17799 to COBIT
How does COSO come into this? Is that a methodology or just the committee that worries about things?
Who decides if you are compliant? Your financial auditor or is this outlined in SOX? I know it has to be someone independent from your organization, but is it a CISA or a CPA?
Sorry for so many questions but this is really confusing to me.
Like if you are a CISA via Isaca and use COBIT on your organization does that qualify as complying with the act?
If your organization is ISO 17799 compliant does that qualify for SOX? I know you can map ISO 17799 to COBIT
How does COSO come into this? Is that a methodology or just the committee that worries about things?
Who decides if you are compliant? Your financial auditor or is this outlined in SOX? I know it has to be someone independent from your organization, but is it a CISA or a CPA?
Sorry for so many questions but this is really confusing to me.
Comments
-
OptionsVWBug5000
Member Posts: 6 ■□□□□□□□□□
The way it was explained to me was:
The SOX law is still pretty new and the requirements for information security varies depending on the company. That being said, there is no real standard for InfoSec defined through SOX -yet-. As of right now, each individual company needs to review their own individual standards and come up with a defined InfoSec policy and execute it. The only way SOX auditors can fine your company is if the company itself isn't following its own policy.
This info is a few months old and I haven't heard anything new about it yet, so the IT side of the SOX law may have been updated. But I hope this helps!
Josh