Security Basics mailing list archives
Re: ISO 27001 mapping to PCI
From: "W. Lee Schexnaider" <l.schex () gmail com>
Date: Mon, 25 Feb 2008 13:58:19 -0600
Hello, Actually, this type of work is what I do at Symantec for the CCS product's policy and response modules ( http://www.symantec.com/business/products/overview.jsp?pcid=2243&pvid=1482_1 ). We actually take a different approach. We have a common set of "control statements". We link parts of various regulations, best practices and frameworks to this set of "normalized" control statements, each with a name and description. The product can them pull "evidence" of compliance (system technical checks, questionnaire responses by humans) that also link to the appropriate control statements. This way if you meet one control statement you can report that it covers aspects of other linked regs, best practices or frameworks. Obviously, I can't share these linkages with the list, since they are proprietary, but I have some suggestions. You will have to dig beyond the upper level sections headers for these type of documents. Also, they may wander a bit beyond the header topic, (Cobit especially). The management sections of these types of document generally have a similar structure: write, document and maintain a high-level policy, write, document and maintain plans and procedures, implement the plans and procedures, review the plan and procedures, audit or review the results of the plans and procedures and report the results. Of course the real meat in ISO 27001 is Appendix A and that is where you would probably spend most of your mapping time, apart from looking at the ISMS. PCI is a lower level document. You may need to look at those higher level documents (policies, procedures) as well. We spend quite a bit of time doing this matching process, so it can be time consuming. But, because of the similarity of these documents, I feel in the future that this process will become a standard way of dealing with these issues. Right now many businesses have their compliance efforts "silo'd" into various groups that don't talk to each other or share information. That approach is getting too manpower-intensive (even if they can find qualified people to do the job). I wish you good luck with these effort. I get this list through my gmail account, but you can contact me at my business email also if you have any other questions. W. Lee Schexnaider, CISSP Sr. Engineer – Compliance Content Developer Symantec Corporation www.symantec.com ----------------------------------------------------- Office: 713.561.4111 5151 San Felipe Houston, Texas 77056 Email: lee_schexnaider () symantec com ----------------------------------------------------- On Wed, Feb 20, 2008 at 10:49 AM, Jason P. Rusch <saltynetguru () infosec-rusch com> wrote:
Does anyone have in their possession such as a excel file that directly maps PCI requirements to ISO 27001. I have several that map sp800-53 to Cobit to ISO 27001/27002, but really need a mapping PCI to ISO 27001. -- --- Sincerely Jason P. Rusch, CISSP, CISM, CISA Certified Information Security Consultant Wesley Chapel, FL 33543 saltynetguru () infosec-rusch com www.infosec-rusch.com "There is no patch for stupidity" The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Current thread:
- RE: ISO 27001 mapping to PCI, (continued)
- RE: ISO 27001 mapping to PCI Jason P. Rusch (Feb 22)
- RE: ISO 27001 mapping to PCI Jason P. Rusch (Feb 25)
- Message not available
- Message not available
- ISO 27001 mapping to PCI Harshal Mehta (Feb 21)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 25)
- Re: ISO 27001 mapping to PCI Mike Lococo (Feb 26)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 26)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 26)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 26)
- RE: ISO 27001 mapping to PCI Palmer, Mark (Feb 26)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 26)
- Re: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 26)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 27)
- Re: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 27)
- Re: ISO 27001 mapping to PCI exzactly (Feb 27)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 27)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 28)