PCI-DSS vs ISO 27001

Lately I have been working with the PCI-DSS Compliance implementing this standard in a organization which works with cardholder data. Obviously, many controls, procedures and proceses of PCI-DSS are the same than in ISO 27001, which I know as well because I have worked in the implementation and maintenance of this ISO standard in the Ariadnex company where I actually work. For this reason, I would like to speak and write about these two standard in this post.

First, when comparing the scope of the two standards, scope selection in ISO 27001 depends on the company. For example, the scope could be a specific office or a service of the company. As a result, the company can choose the scope they want. However, the scope is exactly the credit cardholder information in PCI-DSS. As a result, the company can't choose the scope, it is defined by the PCI-DSS standard. In addtion, the controls in ISO 27001 are recommendations while the controls in PCI-DSS are mandatory. Therefore, ISO 27001 is more flexible then PCI-DSS.

On the other hand, recertification auditing of ISO 27001 is performed every three years, and small-scope auditing is also performed every year, which only include some controls that they are chosen randomly by the auditor. Otherwise, there are vulnerability scanning at least quarterly, an onsite audit annually and a penetration test annually for level 1 in PCI-DSS.

Speaking about vulnerability scanning, it's a requirement that external vulnerability scanning are done by an ASV (Approved Scanning Vendor), while internal vulnerability scanning and penetration tests can be done by internal resources of the company which are not ASV. In addition, it's also a requirement that critical security patches are installed within one month of release and other security patches within an appropriate time fram (for example, within three months).

Another thing to mention is the external company which is going to audit your company. PCI-DSS audit should be done by a QSA (Qualified Security Assessor) that there are today only 9 companies in Spain which can audit the PCI-DSS standard. If you want to become a QSA, you have to be willing to spend 3300$ for taking a course and an exam in London and another 1500$ annually to renovate your qualification. However, if you want to get the ISO 27001 certification, you should contact with SGS, Aenor, Bureau Veritas, etc … but I don't know actually what are the requirements to be an ISO 27001 certification company.

If we apply for some of these standard and we pass the audit, we will get a certificate where we can read the scope and services which are in compliance. For instance, we can see the AoC of Microsoft, AoC of Akamai and AoC of Visa, while we can see the ISO 27001 certificate of Amazon and ISO 27001 certificate of Akamai.

Next, we can see a hich level mapping of PCI-DSS requirements to ISO 27001:

To sum up, PCI-DSS is a standard to cover information security of credit cardholders' information, whereas ISO 27001 is a specification for an information security management system.

Regards my friend and remember, drop a line with the first thing you're thinking.