Re: ISO 27001 mapping to PCI

["W. Lee Schexnaider" <l.schex () gmail com>]

Hello,

Actually, this type of work is what I do at Symantec for the CCS
product's policy and response modules (
http://www.symantec.com/business/products/overview.jsp?pcid=2243&pvid=1482_1
).  We actually take a different approach.  We have a common set of
"control statements".  We link parts of various regulations, best
practices and frameworks to this set of "normalized" control
statements, each with a name and description.  The product can them
pull "evidence" of compliance (system technical checks, questionnaire
responses by humans) that also link to the appropriate control
statements.  This way if you meet one control statement you can report
that it covers aspects of other linked regs, best practices or
frameworks.

Obviously, I can't share these linkages with the list, since they are
proprietary, but I have some suggestions.  You will have to dig beyond
the upper level sections headers for these type of documents.  Also,
they may wander a bit beyond the header topic, (Cobit especially).
The management sections of these types of document generally have a
similar structure: write, document and maintain a high-level policy,
write, document and maintain plans and procedures, implement the plans
and procedures, review the plan and procedures, audit or review the
results of the plans and procedures and report the results.   Of
course the real meat in ISO 27001 is Appendix A and that is where you
would probably spend most of your mapping time, apart from looking at
the ISMS.  PCI is a lower level document. You may need to look at
those higher level documents (policies, procedures) as well.

We spend quite a bit of time doing this matching process, so it can be
time consuming. But, because of the similarity of these documents, I
feel in the future that this process will become a standard way of
dealing with these issues.  Right now many businesses have their
compliance efforts "silo'd" into various groups that don't talk to
each other or share information.  That approach is getting too
manpower-intensive (even if they can find qualified people to do the
job).

I wish you good luck with these effort.  I get this list through my
gmail account, but you can contact me at my business email also if you
have any other questions.

W. Lee Schexnaider, CISSP
Sr. Engineer – Compliance Content Developer
Symantec Corporation
www.symantec.com
-----------------------------------------------------
Office:  713.561.4111
5151 San Felipe
Houston, Texas 77056
Email: lee_schexnaider () symantec com
-----------------------------------------------------


On Wed, Feb 20, 2008 at 10:49 AM, Jason P. Rusch
<saltynetguru () infosec-rusch com> wrote:
> Does anyone have in their possession such as a excel file that directly
> maps PCI requirements to ISO 27001.
>
> I have several that map sp800-53 to Cobit to ISO 27001/27002, but really
> need a mapping PCI to ISO 27001.
>
>
> --
>
>
> ---
> Sincerely
>
> Jason P. Rusch, CISSP, CISM, CISA
> Certified Information Security Consultant
> Wesley Chapel, FL 33543
> saltynetguru () infosec-rusch com
> www.infosec-rusch.com
>
> "There is no patch for stupidity"
>
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you
> received this in error, please contact the sender and delete the
> material from any computer.