I'm not going to get into a debate with you on this - simply stating
that the preparation for audits is very different than the execution of
audits. For the record, my working for a vendor in this space has
nothing to do with my opinion. I spent nearly a decade with a Fortune
500, and used the same approach very effectively on the customer side.
There is sufficient overlap in the preparation stages for different
standards that it makes sense to tag atomic items (controls) if they are
included in multiple standards for reuse. This is really no different
than a platform like .NET making reusable services available to multiple
programs. Where the controls are identical, it makes no sense to do
them separately and at multiple times by multiple people simply because
they fall into different, higher-order standards.
Cheers.
Sheldon Malm
Director
Security Research & Development
nCircle Network Security
Check out the VERT daily post
http://blog.ncircle.com/vert
-----Original Message-----
From: Craig Wright [mailto:Craig.Wright@bdo.com.au]
Sent: Tuesday, February 26, 2008 1:14 PM
To: Sheldon Malm; Craig Wright; PCSC Information Services; p1g; Jason P.
Rusch
Cc: security-basics@securityfocus.com
Subject: RE: ISO 27001 mapping to PCI
Well you are marketing a product So I would expect Such a response.
The reality is that this approach is BS. Any organisation that I have
seen doing this Fails @ least one if not both.
Different systems have Separate requirements. You Can make an ISO
27001/2 ISMS for a PCI system -but it will not apply elsewhere and is
more work then Completing each one at a time.
Craig (GSE-Compliance,G7799,GPCI...)
-----Original Message-----
From: "Sheldon Malm" <smalm@ncircle.com>
To: "Craig Wright" <Craig.Wright@bdo.com.au>; "PCSC Information
Services" <info@pcsage.biz>; "p1g" <killfactory@gmail.com>; "Jason P.
Rusch" <saltynetguru@infosec-rusch.com>
Cc: "security-basics@securityfocus.com"
<security-basics@securityfocus.com>
Sent: 27/02/08 2:56 AM
Subject: RE: ISO 27001 mapping to PCI
Absolutely disagree with your comments, Craig. The initial question is
not about getting a single auditor to perform multiple assessments in
one step; it's about preparing for multiple, recurring audits in the
future by taking prose guidelines and standards and boiling them down to
a list of controls that can be checked for. These controls can then be
mapped to multiple standards to address each of the assessments when
audits are taking place.
This approach is highly cost effective for businesses and is also the
process used by any automated solution worth its salt (including the one
from nCircle). There is absolutely nothing wrong with leveraging
publicly available standards and mappings instead of re-inventing the
wheel in house. As a matter of fact it's a best practice, and mitre has
made fantastic progress in the Windows space with this kind of exercise
for their CCE project.
Sheldon Malm
Director
Security Research & Development
nCircle Network Security
Check out the VERT daily post
http://blog.ncircle.com/vert
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Craig Wright
Sent: Monday, February 25, 2008 8:09 PM
To: 'PCSC Information Services'; p1g
Cc: Jason P. Rusch; security-basics@securityfocus.com
Subject: RE: ISO 27001 mapping to PCI
Except that ISO 27001 and PCI audits are not the same and can not be
completed by the same people at the same time.
Unless the ISO 27001 accreditation is scoped to "only" systems that
collect or process payment card data, then this is moot anyway.
This is looking at compliance the wrong way. It is a reverse of what
should be considered.
Regards,
Craig Wright (GSE-Compliance)
Craig Wright
Manager of Information Systems
Direct : +61 2 9286 5497
Craig.Wright@bdo.com.au
+61 417 683 914
BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497 http://www.bdo.com.au/
Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.
The information in this email and any attachments is confidential. If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains. If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system.
Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls. You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls. It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects. BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached. A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au/ or by emailing mailto:administrator@bdo.com.au.
BDO Kendalls is a national association of separate partnerships and
entities.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of PCSC Information Services
Sent: Tuesday, 26 February 2008 9:16 AM
To: p1g
Cc: Jason P. Rusch; security-basics@securityfocus.com
Subject: Re: ISO 27001 mapping to PCI
p1g,
I believe that the value of mapping these standards to each other allows
for the qualification of the organization against multiple standards
without requiring a duplication of efforts. Where standards match other
standard's requirements an organization can count those steps as well.
Measure twice, cut once.
Best,
Sean Swayze
On 24-Feb-08, at 10:58 PM, p1g wrote:
What am I missing here? I probably sound real dumb, but why are we
mapping standards to each other?
On Wed, Feb 20, 2008 at 11:49 AM, Jason P. Rusch
<saltynetguru@infosec-rusch.com> wrote:
Does anyone have in their possession such as a excel file that
directly maps PCI requirements to ISO 27001.
I have several that map sp800-53 to Cobit to ISO 27001/27002, but
really need a mapping PCI to ISO 27001.
--
---
Sincerely
Jason P. Rusch, CISSP, CISM, CISA
Certified Information Security Consultant Wesley Chapel, FL 33543
saltynetguru@infosec-rusch.com www.infosec-rusch.com
"There is no patch for stupidity"
The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient
is prohibited. If you received this in error, please contact the
sender and delete the material from any computer.
--
-p1g
SnortCP, C|HFI, TNCP, TECP, NACP, A+
,,__
o" )~ oink oink
' ' ' '
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
