How can ISO 27001 help you comply with SOX section 404

A number of high-profile corporate and accounting scandals collapsed several big players like Enron and WorldCom, and played havoc on global investment market. In the wake of these scandals, U.S. SOX law was introduced to restore public confidence of financial information released by public organizations. The laws required new levels of commitment by organizations’ top management regarding the handling of information, including more severe penalties for fraudulent financial activity.

This article will show how ISO 27001, the leading standard for Information Security Management Systems (ISMS), can be used to ensure compliance with SOX clauses from section 404, related to the demonstration of controls effectiveness.

What is SOX?

The Sarbanes–Oxley (SOX) Act is a United States federal law, enacted in July 2002, that set requirements for improving the accuracy and reliability of financial disclosures of organizations trading on U.S. territory. It was a response to several corporate and accounting scandals that cost investors billions of dollars when the share prices of affected companies collapsed, and shook public confidence in the US securities markets.

SOX requirements are divided into 11 titles and 65 sections. These range from the definition of corporate board responsibilities to criminal penalties. They also require the Securities and Exchange Commission (SEC) to implement regulations to define how organizations are to comply with the law. Regarding compliance, the most important sections are:

  • 302 – Corporate Responsibility for Financial Reports
  • 404 – Management Assessment of Internal Controls (the focus of this article)
  • 409 – Real Time Issuer Disclosures

Who must comply with SOX?

The following organizations must comply with SOX:

  • All publicly-traded companies in the United States, including their subsidiaries
  • All publicly-traded non-US companies doing business in US territory

Additionally, private companies that are preparing for their initial public offering (IPO) also need to comply with certain provisions of SOX.

What is ISO 27001?

ISO 27001 is the ISO standard that describes how to manage information security in an organization. It consists of 10 clauses in the main part of the standard, and 114 security controls grouped into 14 sections in Annex A. ISO 27001:2013 clauses from the main part of the standard are:

  • 4 – Context of the organization
  • 5 – Leadership
  • 6 – Planning
  • 7 – Support
  • 8 – Operation
  • 9 – Performance evaluation
  • 10 – Continual improvement

ISO 27001:2013 Annex A covers controls related to organizational structure (both physical and logical), human resources, information technology, supplier management, etc.

For detailed information, read: What is ISO 27001? and for implementation of safeguards An overview of ISO 27001:2013 Annex A.

SOX section 404 requirements

SOX section 404 refers to the Management Assessment of Internal Controls, and has only two requirements:

  • Top management must make annual reports on the scope, adequacy and effectiveness of the organization’s internal controls and procedures regarding financial reporting. It must also state its commitment to establishing and maintaining such controls and procedures.
  • In the same report, external auditors must also attest and report the assessment regarding the effectiveness of an organization’s internal controls regarding financial reporting.

This section is considered the costliest and controversial to implement. This is primarily because it does not define how such reports should be produced, nor which evidence should be provided. It is at this point where ISO 27001 can help organizations.

How ISO 27001 can fulfil section 404

The requirements of SOX section 404 can be related to ISO 27001 clause 9 (Performance evaluation), which covers:

SOX 404 requirement ISO 27001 clause Rationale For more information
Report on the scope, adequacy and effectiveness of the organization’s internal controls and procedures 9.1 – Monitoring, measurement, analysis and evaluation The periodic application of verifiable methods to verify controls performance and effectiveness will help organizations to gather the necessary evaluation data. How to perform monitoring and measurement in ISO 27001

Logging and monitoring according to ISO 27001 A.12.4
9.2 – Internal audit An internal, independent review will provide top management with increased assurance about implemented controls and processes. How to prepare for an ISO 27001 internal audit

How to make an Internal Audit checklist for ISO 27001 / ISO 22301
9.3 – Management review ISO 27001 provides a list of input and output issues that should be considered in a management review. This will minimize the chance that important issues may be overlooked. Why is management review important for ISO 27001 and ISO 22301?

When it comes to SOX requirements involving an external audit, an organization should document and keep all processes, plans and records required by ISO 27001, clause 9. By doing this, an organization will help external auditors attest to the effectiveness of the implemented security framework. This will also show the top management commitment on its maintenance.

In short, ISO 27001 can provide a framework for systematic and continuous monitoring of security controls. This will produce and organize all the information needed to support top management’s commitment and show external auditors the effectiveness of the implemented controls.

A global approach to a local issue

Although SOX has introduced heavy and costly requirements for organizations that trade on its territory, it clearly improved the transparency and accuracy of financial data provided to the public and investors. In turn, this data helped restore confidence in the U.S financial system.

By adopting ISO 27001 practices to support SOX section 404 compliance, organizations can benefit from a systematic way to ensure and demonstrate the effectiveness of the security controls and procedures related to their financial reports. They can also review their approach and use the information to improve security measures when and where necessary.

Additionally, as a world-wide standard, ISO 27001 practices can also be used to support compliance with other legal requirements, saving costs by using a common monitoring and review approach.

To learn how ISO 27001 can help you comply with SOX section 404, use this free online training ISO 27001 Foundations Online Course.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.