Security Basics mailing list archives
RE: ISO 27001 mapping to PCI
From: "Sheldon Malm" <smalm () ncircle com>
Date: Tue, 26 Feb 2008 07:52:13 -0800
Absolutely disagree with your comments, Craig. The initial question is not about getting a single auditor to perform multiple assessments in one step; it's about preparing for multiple, recurring audits in the future by taking prose guidelines and standards and boiling them down to a list of controls that can be checked for. These controls can then be mapped to multiple standards to address each of the assessments when audits are taking place. This approach is highly cost effective for businesses and is also the process used by any automated solution worth its salt (including the one from nCircle). There is absolutely nothing wrong with leveraging publicly available standards and mappings instead of re-inventing the wheel in house. As a matter of fact it's a best practice, and mitre has made fantastic progress in the Windows space with this kind of exercise for their CCE project. Sheldon Malm Director Security Research & Development nCircle Network Security Check out the VERT daily post http://blog.ncircle.com/vert -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright Sent: Monday, February 25, 2008 8:09 PM To: 'PCSC Information Services'; p1g Cc: Jason P. Rusch; security-basics () securityfocus com Subject: RE: ISO 27001 mapping to PCI Except that ISO 27001 and PCI audits are not the same and can not be completed by the same people at the same time. Unless the ISO 27001 accreditation is scoped to "only" systems that collect or process payment card data, then this is moot anyway. This is looking at compliance the wrong way. It is a reverse of what should be considered. Regards, Craig Wright (GSE-Compliance) Craig Wright Manager of Information Systems Direct : +61 2 9286 5497 Craig.Wright () bdo com au +61 417 683 914 BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of PCSC Information Services Sent: Tuesday, 26 February 2008 9:16 AM To: p1g Cc: Jason P. Rusch; security-basics () securityfocus com Subject: Re: ISO 27001 mapping to PCI p1g, I believe that the value of mapping these standards to each other allows for the qualification of the organization against multiple standards without requiring a duplication of efforts. Where standards match other standard's requirements an organization can count those steps as well. Measure twice, cut once. Best, Sean Swayze On 24-Feb-08, at 10:58 PM, p1g wrote:
What am I missing here? I probably sound real dumb, but why are we mapping standards to each other? On Wed, Feb 20, 2008 at 11:49 AM, Jason P. Rusch <saltynetguru () infosec-rusch com> wrote:Does anyone have in their possession such as a excel file that directly maps PCI requirements to ISO 27001. I have several that map sp800-53 to Cobit to ISO 27001/27002, but really need a mapping PCI to ISO 27001. -- --- Sincerely Jason P. Rusch, CISSP, CISM, CISA Certified Information Security Consultant Wesley Chapel, FL 33543 saltynetguru () infosec-rusch com www.infosec-rusch.com "There is no patch for stupidity" The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.-- -p1g SnortCP, C|HFI, TNCP, TECP, NACP, A+ ,,__ o" )~ oink oink ' ' ' ' If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke
Current thread:
- Re: ISO 27001 mapping to PCI, (continued)
- Re: ISO 27001 mapping to PCI guiness.stout (Feb 21)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 22)
- RE: ISO 27001 mapping to PCI Jason P. Rusch (Feb 22)
- RE: ISO 27001 mapping to PCI Jason P. Rusch (Feb 25)
- Message not available
- Message not available
- ISO 27001 mapping to PCI Harshal Mehta (Feb 21)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 25)
- Re: ISO 27001 mapping to PCI Mike Lococo (Feb 26)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 26)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 26)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 26)
- RE: ISO 27001 mapping to PCI Palmer, Mark (Feb 26)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 26)
- Re: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 26)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 27)
- Re: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 27)
- Re: ISO 27001 mapping to PCI exzactly (Feb 27)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 27)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 28)