Security Basics mailing list archives
RE: ISO 27001 mapping to PCI
From: "Jason P. Rusch" <saltynetguru () infosec-rusch com>
Date: Sun, 24 Feb 2008 11:05:08 -0500
Here are some of the mappings , http://www.infosec-rusch.com/downloads/xshared user = securityguest pass = 00%S3curity Have fun On Thu, 2008-02-21 at 20:02 -0500, Jason P. Rusch wrote:
As a note to anyone that has seen yet, the PCI SAQ has been updated to v1.1. It now has 228 questions, its now in-line with the standard. OH also I tried to send the ISO 27001 - NIST sp80053 - Cobit, mapping, the list said the doc was too big. So I will upload it to my site and send out a link by this weekend. Keep looking for it. It was originally authored by Erik Knutila. As a wise SysAdmin once said, theirs no patch for stupidity! On Fri, 2008-02-22 at 11:38 +1100, Craig Wright wrote:It is missing a bit. 1: Install and maintain a firewall configuration to protect cardholder data And "A 5 Information Security Policy" Are not linked. The standard states that there needs to be a number of "configuration standards" (1.1) and a formal process. This requires that a firewall policy is in place. To link the processes in PCI with ISO 27001, you need to go into more detail. You can not take the headers and match these, this does not provide a sufficient level of detail and this is where people go wrong. As an other example, you have not matched any of the PCI control sections (from 1-11) against " A 8 Human Resources Security" - which is a key requirement of PCI-DSS. As an example, PCI-DSS 8.5 states "Ensure proper user authentication and password management for non-consumer users and administrators on all system components" - the testing process for this control is " Review procedures and interview personnel to verify that procedures are implemented for user authentication and password management". In particular, and as an example, 8.5.4 states: " Immediately revoke access for any terminated users", this is clearly a function of A 8 - HR in ISO 27001. Need I cover A13? Regards, Craig Wright GSE-Compliance Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Bowers, Jeramy J Sent: Friday, 22 February 2008 1:08 AM To: 'saltynetguru () infosec-rusch com'; security-basics () securityfocus com Subject: ISO 27001 mapping to PCI I'd be interested in a copy of your sp800-53 to ISO 27001 mappings, if you're sharing. Jeramy Bowers Security Analyst School of Medicine Indiana University (317) 278-7520 -----Original Message----- From: Jason P. Rusch [mailto:saltynetguru () infosec-rusch com] Sent: Wednesday, February 20, 2008 11:49 AM To: security-basics () securityfocus com Subject: ISO 27001 mapping to PCI Does anyone have in their possession such as a excel file that directly maps PCI requirements to ISO 27001. I have several that map sp800-53 to Cobit to ISO 27001/27002, but really need a mapping PCI to ISO 27001. -- --- Sincerely Jason P. Rusch, CISSP, CISM, CISA Certified Information Security Consultant Wesley Chapel, FL 33543 saltynetguru () infosec-rusch com www.infosec-rusch.com "There is no patch for stupidity" The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
-- --- Sincerely Jason P. Rusch, CISSP, CISM, CISA Certified Information Security Consultant Wesley Chapel, FL 33543 saltynetguru () infosec-rusch com www.infosec-rusch.com "There is no patch for stupidity" The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Current thread:
- ISO 27001 mapping to PCI Jason P. Rusch (Feb 20)
- ISO 27001 mapping to PCI Bowers, Jeramy J (Feb 21)
- Re: ISO 27001 mapping to PCI guiness.stout (Feb 21)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 22)
- RE: ISO 27001 mapping to PCI Jason P. Rusch (Feb 22)
- RE: ISO 27001 mapping to PCI Jason P. Rusch (Feb 25)
- ISO 27001 mapping to PCI Bowers, Jeramy J (Feb 21)
- Message not available
- Message not available
- ISO 27001 mapping to PCI Harshal Mehta (Feb 21)
- Message not available
- Re: ISO 27001 mapping to PCI p1g (Feb 25)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 25)
- Re: ISO 27001 mapping to PCI Mike Lococo (Feb 26)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 26)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 26)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 26)
- RE: ISO 27001 mapping to PCI Palmer, Mark (Feb 26)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 25)
- <Possible follow-ups>
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 26)