What, why, when – ISO 27001 vs SOX 404 – Governance, Risk, & Compliance

I recently met with a group who wanted to get started in the IT Audit. The members of the group had some experience in the IT Audit, I realized a common theme in their misunderstanding of ISO 27001 and SOX 404 as they used both the terms interchangeably.

In this post, I will distinguish the key differences between ISO 27001 standard and SOX 404.

But as always, let’s start with what these terms mean and why are they so important for the industry.

What is ISO 27001?

ISO 27001 is an international standard for ensuring that the assets in an Information Security Management System (ISMS) have a minimum set of acceptable controls.

So for instance, if I am starting a new company tomorrow and would like to secure the assets of the company, how would I know what security measures I need to take. I will refer the ISO 27001 standard.

Is it mandatory to refer to ISO 27001 standard?

No, there are many other standards like NIST that can be taken as a baseline to secure the assets.

Then why should I use (read buy) ISO 27001 and not freely available NIST?

This depends on 2 factors.

1. Company location

For many companies which are based in the UK – ISO 27001 is the preferred standard whereas for the companies which are based in the US – NIST is preferred.

2. Resources

ISO 27001 is easy to understand whereas NIST is dense and will require more resources.

Also, companies can also be audited against the ISO 27001 standard and get certified on the implementation of the standard, whereas this can’t be done for NIST. Therefore, for companies selling their services to a third-party will prefer some attestation in the form of a certificate from the external auditors.

So, what is SOX and how is it different from SOX 404?

First and foremost, SOX 404 is a part of the SOX compliance.

In the wake of multiple accounting scandals (Enron, Worldcom), the US government passed an act in 2002 that sets the requirements for improving the accuracy and reliability of financial disclosures of organizations trading on the U.S. territory. The SOX compliance asks all the publicly traded companies in the US to disclose the financial reports on a periodic basis and hold the C-suite executives accountable if the financial statements are incorrect.

One of those sections is SOX 404 that is responsible for making sure that the internal controls for a financial system are adequate, assessed and attested by the management. Any shortcomings in these security controls should also be reported in the disclosures.

How are ISO 27001 and SOX 404 different?

ISO 27001 is an ISMS standard, but it is not a law. It is not required for a company to be compliant with ISO 27001, however, SOX 404 is a law that has to be adhered by all the publicly traded companies in the US.

How can I use ISO 27001 to be compliant with SOX 404?

The SOX 404 requirements are broad and are described in only 2 sentences:

1. state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

2. contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

As the adherence and implementation of the section is left on the discretion of the companies, ISO 27001 can provide a baseline for implementing these controls. The clauses of ISO 27001 can directly be mapped to the SOX 404 requirements and effective implementation of security controls.

For e.g. section ‘A.5 Information security policies’ states how the information security policies should be written and reviewed, ‘A.9 Access control’ states the requirements for access control, user access management, and user responsibilities, and henceforth.

To conclude, both ISO 27001 and SOX 404 are spoken a lot in the audit world, but they are very different. ISO 27001 is a standard that can be used to comply with the SOX 404 law.