RE: ISO 27001 mapping to PCI

["Sheldon Malm" <smalm () ncircle com>]

Absolutely disagree with your comments, Craig.  The initial question is
not about getting a single auditor to perform multiple assessments in
one step; it's about preparing for multiple, recurring audits in the
future by taking prose guidelines and standards and boiling them down to
a list of controls that can be checked for.  These controls can then be
mapped to multiple standards to address each of the assessments when
audits are taking place.

This approach is highly cost effective for businesses and is also the
process used by any automated solution worth its salt (including the one
from nCircle).  There is absolutely nothing wrong with leveraging
publicly available standards and mappings instead of re-inventing the
wheel in house.  As a matter of fact it's a best practice, and mitre has
made fantastic progress in the Windows space with this kind of exercise
for their CCE project.  


Sheldon Malm
Director
Security Research & Development
nCircle Network Security

Check out the VERT daily post
http://blog.ncircle.com/vert



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Craig Wright
Sent: Monday, February 25, 2008 8:09 PM
To: 'PCSC Information Services'; p1g
Cc: Jason P. Rusch; security-basics () securityfocus com
Subject: RE: ISO 27001 mapping to PCI


Except that ISO 27001 and PCI audits are not the same and can not be
completed by the same people at the same time.

Unless the ISO 27001 accreditation is scoped to "only" systems that
collect or process payment card data, then this is moot anyway.

This is looking at compliance the wrong way. It is a reverse of what
should be considered.

Regards,
Craig Wright (GSE-Compliance)


Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497 http://www.bdo.com.au/

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential. If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains. If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system.

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls. You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls. It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects. BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached. A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au/ or by emailing mailto:administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and
entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of PCSC Information Services
Sent: Tuesday, 26 February 2008 9:16 AM
To: p1g
Cc: Jason P. Rusch; security-basics () securityfocus com
Subject: Re: ISO 27001 mapping to PCI

p1g,

I believe that the value of mapping these standards to each other allows
for the qualification of the organization against multiple standards
without requiring a duplication of efforts. Where standards match other
standard's requirements an organization can count those steps as well.
Measure twice, cut once.


Best,

Sean Swayze

On 24-Feb-08, at 10:58 PM, p1g wrote:

> What am I missing here? I probably sound real dumb, but why are we 
> mapping standards to each other?
>
>
> On Wed, Feb 20, 2008 at 11:49 AM, Jason P. Rusch 
> <saltynetguru () infosec-rusch com> wrote:
> > Does anyone have in their possession such as a excel file that 
> > directly maps PCI requirements to ISO 27001.
> >
> > I have several that map sp800-53 to Cobit to ISO 27001/27002, but 
> > really need a mapping PCI to ISO 27001.
> >
> >
> > --
> >
> >
> > ---
> > Sincerely
> >
> > Jason P. Rusch, CISSP, CISM, CISA
> > Certified Information Security Consultant Wesley Chapel, FL 33543 
> > saltynetguru () infosec-rusch com www.infosec-rusch.com
> >
> > "There is no patch for stupidity"
> >
> > The information transmitted is intended only for the person or entity

> > to which it is addressed and may contain confidential and/or 
> > privileged material. Any review, retransmission, dissemination or 
> > other use of, or taking of any action in reliance upon, this 
> > information by persons or entities other than the intended recipient 
> > is prohibited. If you received this in error, please contact the 
> > sender and delete the material from any computer.
>
>
>
> --
> -p1g
> SnortCP, C|HFI, TNCP, TECP, NACP, A+
>  ,,__
> o"     )~  oink oink
>   ' ' ' '
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- former White House cybersecurity czar Richard Clarke