Re: ISO 27001 mapping to PCI

I agree that each compliance effort brings its own tasks, contacts,  
and methods. You can see the value for an organization to minimize the  
complexity thus making policy/standards creation and documentation a  
more streamlined effort. Where standards 'overlap' might create  
opportunity for enterprise to have a policy that minimizes this  
complexity and thereby help promote ongoing compliance and mitigate  
maintenance. If the real goal is security, it's the process that is  
most important, I'm sure you'll agree that there is no such thing as  
arriving at security. Understanding where and why certain standards  
and compliance mechanisms exist in a holistic way can only help to  
ensure that enterprises will be more likely to adopt and maintain  
policies that fit this effort, and not create policies that conflict  
with each other, or are too difficult to understand to work.

Sean Swayze

On 25-Feb-08, at 8:09 PM, Craig Wright wrote:

> Except that ISO 27001 and PCI audits are not the same and can not be  
> completed by the same people at the same time.
>
> Unless the ISO 27001 accreditation is scoped to "only" systems that  
> collect or process payment card data, then this is moot anyway.
>
> This is looking at compliance the wrong way. It is a reverse of what  
> should be considered.
>
> Regards,
> Craig Wright (GSE-Compliance)
>
>
> Craig Wright
> Manager of Information Systems
>
> Direct : +61 2 9286 5497
> Craig.Wright@bdo.com.au
> +61 417 683 914
>
> BDO Kendalls (NSW)
> Level 19, 2 Market Street Sydney NSW 2000
> GPO BOX 2551 Sydney NSW 2001
> Fax +61 2 9993 9497
> http://www.bdo.com.au/
>
> Liability limited by a scheme approved under Professional Standards  
> Legislation in respect of matters arising within those States and  
> Territories of Australia where such legislation exists.
>
> The information in this email and any attachments is confidential.  
> If you are not the named addressee you must not read, print, copy,  
> distribute, or use in any way this transmission or any information  
> it contains. If you have received this message in error, please  
> notify the sender by return email, destroy all copies and delete it  
> from your system.
>
> Any views expressed in this message are those of the individual  
> sender and not necessarily endorsed by BDO Kendalls. You may not  
> rely on this message as advice unless subsequently confirmed by fax  
> or letter signed by a Partner or Director of BDO Kendalls. It is  
> your responsibility to scan this communication and any files  
> attached for computer viruses and other defects. BDO Kendalls does  
> not accept liability for any loss or damage however caused which may  
> result from this communication or any files attached. A full version  
> of the BDO Kendalls disclaimer, and our Privacy statement, can be  
> found on the BDO Kendalls website at http://www.bdo.com.au/ or by  
> emailing mailto:administrator@bdo.com.au.
>
> BDO Kendalls is a national association of separate partnerships and  
> entities.
>
> -----Original Message-----
>
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com 
> ] On Behalf Of PCSC Information Services
> Sent: Tuesday, 26 February 2008 9:16 AM
> To: p1g
> Cc: Jason P. Rusch; security-basics@securityfocus.com
> Subject: Re: ISO 27001 mapping to PCI
>
> p1g,
>
> I believe that the value of mapping these standards to each other
> allows for the
> qualification of the organization against multiple standards without
> requiring a
> duplication of efforts. Where standards match other standard's
> requirements an
> organization can count those steps as well. Measure twice, cut once.
>
>
> Best,
>
> Sean Swayze
>
> On 24-Feb-08, at 10:58 PM, p1g wrote:
>
> > What am I missing here? I probably sound real dumb, but why are we
> > mapping standards to each other?
> >
> >
> > On Wed, Feb 20, 2008 at 11:49 AM, Jason P. Rusch
> > <saltynetguru@infosec-rusch.com> wrote:
> > > Does anyone have in their possession such as a excel file that
> > > directly
> > > maps PCI requirements to ISO 27001.
> > >
> > > I have several that map sp800-53 to Cobit to ISO 27001/27002, but
> > > really
> > > need a mapping PCI to ISO 27001.
> > >
> > >
> > > --
> > >
> > >
> > > ---
> > > Sincerely
> > >
> > > Jason P. Rusch, CISSP, CISM, CISA
> > > Certified Information Security Consultant
> > > Wesley Chapel, FL 33543
> > > saltynetguru@infosec-rusch.com
> > > www.infosec-rusch.com
> > >
> > > "There is no patch for stupidity"
> > >
> > > The information transmitted is intended only for the person or
> > > entity to
> > > which it is addressed and may contain confidential and/or privileged
> > > material. Any review, retransmission, dissemination or other use
> > > of, or
> > > taking of any action in reliance upon, this information by persons  
> > > or
> > > entities other than the intended recipient is prohibited. If you
> > > received this in error, please contact the sender and delete the
> > > material from any computer.
> >
> >
> >
> > --
> > -p1g
> > SnortCP, C|HFI, TNCP, TECP, NACP, A+
> > ,,__
> > o"     )~  oink oink
> >  ' ' ' '
> >
> > If you spend more on coffee than on IT security, you will be hacked.
> > What's more, you deserve to be hacked.
> > -- former White House cybersecurity czar Richard Clarke