Security Basics mailing list archives
Re: ISO 27001 mapping to PCI
From: "W. Lee Schexnaider" <l.schex () gmail com>
Date: Tue, 26 Feb 2008 16:38:14 -0600
Unsurprisingly, I agree with Sheldon. The problem companies are having is that the number of regulations and best practices that they have to conform to is exploding. Just think if you are a public company in California that processes health care information that has customers and partially-owned public subsidiaries in Europe, Japan and Canada. So that organization and its subsidiaries have to comply with SOX, CSOX, JSOX. EuroSOX (in the future), HIPAA, California AB 1298 (health information data breach), California SB 1386 (data breach), and European privacy laws. Then you choose ITIL for service management and Cobit (or ISO) for your info security framework. And that is not counting the new Federal Rules of Civil Procedures changes for e-discovery, if you happened to be part of several lawsuits at the same time. If a company had dedicated internal audit teams and used different standards and processes for each of these, the cost would be (and frequently is) enormous and growing. That is why having common controls mapped to these various items makes sense for your internal audits to give proof of compliance to your external auditors. You can also know if you have a control called "password length" that one technical check can apply for many different regulations and best practices so you don't have to tie up your systems and networks by checking this multiple times for multiple internal compliance groups. W. Lee Schexnaider, CISSP Sr. Engineer – Compliance Content Developer Symantec Corporation www.symantec.com ----------------------------------------------------- Office: 713.561.4111 5151 San Felipe Houston, Texas 77056 Email: lee_schexnaider () symantec com ----------------------------------------------------- On Tue, Feb 26, 2008 at 12:35 PM, Sheldon Malm <smalm () ncircle com> wrote:
I'm not going to get into a debate with you on this - simply stating that the preparation for audits is very different than the execution of audits. For the record, my working for a vendor in this space has nothing to do with my opinion. I spent nearly a decade with a Fortune 500, and used the same approach very effectively on the customer side. There is sufficient overlap in the preparation stages for different standards that it makes sense to tag atomic items (controls) if they are included in multiple standards for reuse. This is really no different than a platform like .NET making reusable services available to multiple programs. Where the controls are identical, it makes no sense to do them separately and at multiple times by multiple people simply because they fall into different, higher-order standards. Cheers. Sheldon Malm Director Security Research & Development nCircle Network Security Check out the VERT daily post http://blog.ncircle.com/vert -----Original Message----- From: Craig Wright [mailto:Craig.Wright () bdo com au] Sent: Tuesday, February 26, 2008 1:14 PM To: Sheldon Malm; Craig Wright; PCSC Information Services; p1g; Jason P. Rusch Cc: security-basics () securityfocus com Subject: RE: ISO 27001 mapping to PCI Well you are marketing a product So I would expect Such a response. The reality is that this approach is BS. Any organisation that I have seen doing this Fails @ least one if not both. Different systems have Separate requirements. You Can make an ISO 27001/2 ISMS for a PCI system -but it will not apply elsewhere and is more work then Completing each one at a time. Craig (GSE-Compliance,G7799,GPCI...)
Current thread:
- Re: ISO 27001 mapping to PCI, (continued)
- Re: ISO 27001 mapping to PCI p1g (Feb 25)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 25)
- Re: ISO 27001 mapping to PCI Mike Lococo (Feb 26)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 26)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 26)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 26)
- RE: ISO 27001 mapping to PCI Palmer, Mark (Feb 26)
- Re: ISO 27001 mapping to PCI PCSC Information Services (Feb 25)
- Re: ISO 27001 mapping to PCI p1g (Feb 25)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 26)
- Re: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 26)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 27)
- Re: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 27)
- Re: ISO 27001 mapping to PCI exzactly (Feb 27)
- RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 27)
- RE: ISO 27001 mapping to PCI Craig Wright (Feb 28)
- RE: RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 27)
- Re: RE: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 28)