PCI Blog - Compliance Demystified

By planetheidi on May 28, 2007

Wait, let’s get our standards straight first. BS/ISO 17799 is a list of controls… as is the PCI DSS. ISO 27001 is a system of managing risks and applying controls. Plan-Do-Check-Act. Normally, 27001 uses the 17799 controls as a method of managing those risks.

However, you can (and I have) used ISO 27001 to build an security program (aka an ISMS) which uses the PCI DSS as the list of controls instead. So that is the relationship between these standards.

By Rob Newby on May 28, 2007

I should have posted on this, it was originally a British Standard after all . OK, so I live in Spain now…

planetheidi makes a good point about ISO 27001 ISMS (and writes a fantastic story, check out the website, I was there for 3 hours…). The only way that you can certify that you are in conformance with ISO 17799 is through an ISO 27001 ISMS. PCI DSS would certainly benefit from an ISO27001 ISMS, but is not necessary, that’s what we have QSAs for.

ISO 17799 concentrates solely on control objectives where PCI DSS
covers control objectives and controls. This makes it more of a mixture of 17799 and 27001 (in my opinion). This means ISO17799 focuses at a management level where PCI DSS mixes technical and management to some extent. The basis of many gripes we hear here.

ISO 17799 is an international information security standard. PCI DSS is a product of the Credit Card industry, and run through the PCI Security Standards Council. Therefore ISO standards are voluntary, whereas PCI compliance is mandatory, otherwise you will face fines or operating restrictions.

By APM on May 29, 2007

I have seen this document from Insight Consulting but have not reviewed it to be honest.

The IT Compliance Institute has a PDF cross referencing all sorts of compliance requirements on their site http://www.itcinstitute.com/ under their Unified Compliance Project banner. Free registration is required, then go to this page. They have a free PDF matrix and a pay for customizable Excel matrix. PCI is actually listed as “MasterCard SDP” on the matrix so how up to date and accurate I can’t say.

I also have another Excel cross reference matrix but can’t access that until tomorrow and I need to check it’s source for publishability.

By planetheidi on May 29, 2007

Agreed with all. The real power of ISMS 27001 certification is in addition to be able to pick up proof PCI compliance (if you match up the controls correctly) is that you can also use the same cert for other compliance needs (GLB, HIPAA, etc). It gets more useful if you’re an international org, as ISO is more recognized there.

As I said tho, I have implemented a PCI solution using the ISMS method. We saw it as PCI told us “what to do” and 27001 told us “how to do it.”

PS: Thanks for the kind words on the web comic. Been working on book 2.

By DAG on May 29, 2007

There is a separate related discussion around the overlap between various frameworks like 17799 and PCI.

The notional idea might be that an organization going or having gone down the 17799 path might be able to make a few small tweaks to plug in PCI. Then as you maintain and monitor your controls, you can more easily demonstrate compliance with both standards.

As you dig just below the surface, you find that the control sets are often pitched at different levels. There will be overlap, subsets, disconnects between them, and other surprises that require analysis and understanding. Not everything will hang where you expect it to.

The UCF mentioned above may help but you may end up having to do that analysis yourself. However you figure it out, 27001 will be a huge help going forward.

As for getting one cert for all, it would certainly help with your internal assessment. The independent assessment might be a bit trickier as I expect you’d need an assessor that is qualified on all of these standards.

By Rob Newby on May 29, 2007

I’ve heard a similar post on another site, I think it was LiquidMatrix earlier in the week. I agreed then that people would find it easier to comply with PCI DSS if they were already ISO17799 compliant. This is still going to be true, of course if you’ve taken the time and effort to be compliant with an IS standard, the chances are you’ll be closer to compliance with all the others, no matter how closely they are related. Most of these standards are aiming for the same thing the dreaded “best practices”.

Is it just me, or is there a lot more talk about compliance all of a sudden?

Watch this space, but I think we are going to start seeing a lot more convergence of standards, and of security and compliance. Security as we know it now will become the management/technical split that it needs to be (and we’ll all have to decide whether we want to go back to being engineers or become consultants!).

By James McCloskey on Jun 12, 2007

As Rob Newby notes, there is a lot more talk about compliance these days - and likely more to come as legislation and “industry standards” become more prevalent.

I optimistically envision a (hopefully) not-too-distant future in which someone with more time than I have develops and maintains a relational DB that represents and manages the overlapping controls associated with various national and international compliance and regulatory regimes.

The DB could then be used to enter information related to each of the discrete control points (linked to various control objectives), and views/reports from the DB would be structured based on the compliance regime being considered at any given time.

e.g., “Encrypt data in transit” would be a control point that addresses one element of several regimes’ control objectives for data protection. Policy & process documentation (even self-assessment/audit info) associated with that control point would be input/attached to the control point ONCE. Then when dealing with, for example, a PCIDSS compliance audit (either external or self-assessment), information entered in support of “Encrypt data in transit” would be reported within PCIDSS requirement #4 Requirement 4 (”Encrypt transmission of cardholder data across open, public networks”).

If anyone knows of existing products and/or initiatives to develop such a product, I’d like to know.

By Andy Barratt on Jun 14, 2007

I work in the 27001 certification space, and also PCI DSS, The Insight document is a very good demonstration of how these two standards compliment each other.

If done properly the scope of the ISMS can be the same as the systems that fall in scope of PCI DSS. Using the two together gives good alround security management with PCI giving very precise detail on how to implement certain controls and the ISMS giving the management processes to make sure that risks are constantly reviewed etc.

James, I know what you are talking about. We are always saying how nice it would be to have some sort of unified compliance mapping. Some of my colleages over in India have been working on one that maps CoBit, Basel,17799, PCI and more…
However I sometimes think that it is a more benefitial exercise for a client to go through that process themselves, particularly if they have a relatively immature security model, (seen a lot in retailers) as it really makes them think about the risks they are subject to.

Anyone who is already 27001 certified should find it a doddle to get to PCI if they are implementing most of the controls in the Annex.

By James McCloskey on Jun 14, 2007

Thanks, Andy.

I can’t argue with your comment about the mapping being a beneficial exercise … but once the requirements for compliance have sunk in, sustaining senior support for an ongoing compliance regime would be a lot easier if maintaining compliance-related information were less onerous.

By Andy Barratt on Jun 15, 2007

Agreed, thats one of the biggest complaints I here. The ongoing “regime” requirements. Interestingly though, where people run there IS regime by the standard compliance is much easier Granted thats not always practical, and certainly in the banking sector there is so much legacy stuff and other regulatory requirements that its not an option. However in the retail sector it should be used as a good excuse to formalise some proper security management processes that probably have not really existed in the past.