Search in ISMS Guides


Thursday, July 26, 2007

Using ISO 27001 for PCI DSS Compliance

A white paper by Steve Wright,
Siemens Insight Consulting

The Payment Card Industry Data Security
Standard (PCI DSS) isn’t dramatically
different to the requirements of the best
practice security standard - ISO 27001,
except that PCI doesn’t mention any of
the prerequisites required for a
management framework, e.g.
management commitment, scope
definition, security awareness training,
ongoing improvement plans, whereas
ISO 27001 omits a lot of the detail
around how controls are actually
implemented. So therefore, one could
be forgiven for believing that MasterCard
and Visa assumed PCI would contain
additional security requirements to sit on
top of an already established Information
Security Management System (ISMS).

There is no getting away from the fact that this is good news for
industry as a whole. Any new baseline security standard that
helps measure the security of systems is good news. For
example, making sure that firewalls are only passing traffic on
accepted and approved ports, ensuring that servers are running
only those services that really need to be live and validating those
databases aren’t configured with vendor supplied defaults.
The problem is, like with any baseline standard, it is only as good
as the last review; and herein lays a dilemma. ISO 27001 has
deliberately moved away from specifying or dictating too many
detailed controls (133 in ISO 27001, but over 200 in PCI), as it did
not want it to become a simple tick box exercise. ISO 27001
stipulates that an organisation should ensure any control to be
implemented should reflect the level of risk (or vulnerability), that
could cause unnecessary pain should it not be addressed.
PCI does refer to conducting a formal risk assessment (see section
12.1.2 of the standard), but how flexible would a certified
third-party auditor be during the audits?

Would he /she agree with the
organisation that the risks acceptable to
one organisation were deemed
unacceptable to another (depending
upon the risk appetite of the

Using ISO 27001 for PCI DSS Compliance Next Page

No comments: