Welcome to the tenth issue of ISO17799 News, designed to keep you abreast of developments and news with respect to ISO 17799 and information security. The information within the newsletter is totally free to subscribers and provides guidance on various practical issues, as well as commentary on recent Information Security incidents.
Included in this edition are the following topics:
SECTION 12: THE SARBANES-OXLEY ACT
The Sarbanes-Oxley Act was signed into law on 30th July 2002, on the back of the Enron scandal, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".
These legislative changes in the US are also of particular interest to users of ISO 17799 generally, as they deal with the requirement to monitor internal controls, including information security procedures. In addition, of course, ISO17799 itself embraces legislative compliance within Section 12.
For these reasons, each issue of The ISO27000 Newsletter covers a different aspect of this legislation. The topic covered in this issue is “Corporate Responsibility for Financial Reports”
Periodic statutory financial reports issued by public companies must include certifications that:
- The signing officers have reviewed the report
- The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
- A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
- The report does not contain any material untrue statements or material omission or be considered misleading
- The financial statements and related information fairly present the financial condition and the results in all material respects
- Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
Importantly, it is also specified that organizations may not attempt to avoid these requirements by reincorporating their activities or transferring their activities outside of the United States
With compliance deadlines for the Sarbanes-Oxley Act fast approaching, focus on the legislation, and indeed its security implications, is increasing. For more information on this legislation, the Sarbanes-Oxley Community provides a public forum and FAQ.