Security Basics mailing list archives

Re: RE: ISO 27001 mapping to PCI

From: "W. Lee Schexnaider" <l.schex () gmail com>
Date: Wed, 27 Feb 2008 16:24:19 -0600

evilwon12 said:

 I will conclude by stating that I have yet to see any two standards (SOX, PCI, HIPPA, etc...) where there is a 
direct 1-1 mapping of policies/procedures.  There has always something that was applicable *only* to those machines 
that were defined as being in the scope of the standard.


Yes, this is correct.  One part of the work I do is attach a text
"extension' to a link between the section of a standard and the common
control statement.  The control statements tend to be written at a
high level. The extension is where we put details about the control in
the standard. But the linking to a common control set helps to produce
a cross-standard view of compliance for an organization.

Lee

On 27 Feb 2008 16:45:20 -0000,  <evilwon12 () yahoo com> wrote:

Hopefully there is just some miscommunication here.  I agree with Craig that you just cannot map a control in 
SOX/HIPPA/ISO 27001 to a control in PCI and be done with it.  If it was that simple, I'd have a lot more free time to 
do things that I consider more interesting.


 However, one can take a policy/standard/procedure for SOX/HIPPA/etc...and ensure that it effectively covers the PCI 
requirements as well (take having a security policy).  Thus, hopefully having 1 policy/standard/procedure to 
encompass everything.   I think/hope this is what Sheldon was talking about.


 Last, I agree with Craig that scope is vital to audits.  Who cares what policies one has in place if the scope does 
not cover the right areas?  If you are only taking CC data through a web-based application, are not storing any CC 
data, does a HR laptop really fall under the PCI scope?  Does that web-server fall under HIPPA?


 There is no "magic" mapping button.  Some things can be utilized across multiple audits, but without a well defined 
scope, any audit is destined for problems.


 I will conclude by stating that I have yet to see any two standards (SOX, PCI, HIPPA, etc...) where there is a 
direct 1-1 mapping of policies/procedures.  There has always something that was applicable *only* to those machines 
that were defined as being in the scope of the standard.

Current thread:

Re: ISO 27001 mapping to PCI, (continued)
- - - Re: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 26)
    - RE: ISO 27001 mapping to PCI Craig Wright (Feb 27)
    - Re: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 27)
    - Re: ISO 27001 mapping to PCI exzactly (Feb 27)
    - RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 27)
    - RE: ISO 27001 mapping to PCI Craig Wright (Feb 28)
    - RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 27)
- Re: Re: ISO 27001 mapping to PCI cyberbng (Feb 27)
- Re: RE: ISO 27001 mapping to PCI evilwon12 (Feb 27)
  - RE: RE: ISO 27001 mapping to PCI Sheldon Malm (Feb 27)
  - Re: RE: ISO 27001 mapping to PCI W. Lee Schexnaider (Feb 28)