• (0)

    ISO 27001 & ISO 22301 Knowledge base

    PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences

    If you are asking what are ISO 27001, PCI-DSS, and information security, now is the time to learn. First of all, I recommend that you read this article: What is ISO 27001?. Basically, there are many standards in information security, but two that have special relevance for their scope and for their international impact are ISO 27001 and PCI-DSS. In this article we will see a general description and structure of each one.

    PCI-DSS or ISO 27001?

    It is possible that many organizations have this question in mind, and the answer will obviously depend on the needs of each business. Anyway, let’s see them:

    • ISO 27001 is an international standard, with worldwide recognition, which lays down the requirements for the establishment of an information security management system. It applies to any type of organization, and their implementation and certification is optional, so it is not mandatory for a company.
    • PCI-DSS is a standard of data security for the credit card industry, and applies only to companies that process, store, or transmit credit card data. For these companies, compliance with the standard is obligatory, though depending on the volume of cards processed, different requirements or obligations may apply.

    One of the more important things that ISO 27001 has, and PCI-DSS does not have, is the PDCA (Plan, Do, Check, Act), which is established in any management system based on ISO. Therefore, keep in mind that ISO 27001 is better for those organizations where there is already a management system, and that want to supplement it with the security of the information (or do not have a management system and want it to protect the information), while PCI-DSS is most suitable, and mandatory, for those organizations that work with credit cards.

    Structure of PCI-DSS

    PCI-DSS consists of 13 groups of controls (12 requirements + 1 annex), and more than 200 controls that are focused on the security of the data of credit cards:

    • Requirement 1: Install and maintain firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
    • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
    • Requirement 6: Develop and maintain secure systems and applications
    • Requirement 7: Restrict Access to cardholder data by business need to know
    • Requirement 8: Identify and authenticate Access to system components
    • Requirement 9: Restrict physical Access to cardholder data
    • Requirement 10: Track and monitor all Access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
    • Requirement 12: Maintain a policy that addresses information security for all personnel
    • Requirement A.1: Shared hosting providers must protect the cardholder data environment

    The content of this standard consists of 112 pages, is freely available, and can be consulted / downloaded from the official website of the PCI Security Standard Council. The document indicates the requirements and provides a guide to comply with them.

    Similarities and differences

    On the other hand, ISO 27001 consists of 11 clauses (starting at 0 and ending at 10) that are related with the management system, and also has 13 groups of controls and 114 generic security controls that can be applied to any type of organization. Read this article to get an overview of the security controls: An overview of ISO 27001:2013 Annex A. Many of these controls have similarities with PCI-DSS:

    • A.5 Information Security policies (is related to requirement 12 of PCI-DSS)
    • A.6 Organization of information security (is related to requirement 12 of PCI-DSS)
    • A.7 Human resource security (is related to requirement 12 of PCI-DSS)
    • A.8 Asset management (is related to requirement 12 of PCI-DSS)
    • A.9 Access control (is related to requirement 7 of PCI-DSS)
    • A.10 Cryptography (is related to requirement 4 of PCI-DSS)
    • A.11 Physical and environmental security (is related to requirement 9 of PCI-DSS)
    • A.12 Operations security (is related to requirements 1, 5, 10, and 11 of PCI-DSS)
    • A.13 Communications security (is related to requirement 4 of PCI-DSS)
    • A.14 System acquisition, development and maintenance (is related to requirement 6 of PCI-DSS)
    • A.15 Supplier relationships
    • A.16 Information security incident management
    • A.17 Information security aspects of business continuity management
    • A.18 Compliance

    The content of this standard consists of 30 pages, and is available from the main page of ISO, but you need to pay for it. The document only indicates the requirements, but if you want to know how you can comply with them, another standard is necessary: ISO 27002, which is a code of best practices.

    How to use them?

    So, as you can see, there are many similarities between both standards, for example the continuous improvement of ISO 27001, i.e., the best general security controls of ISO 27002, and the best security controls regarding credit cards in PCI-DSS. There are many companies that are working with both standards using the advantages of both of them, and giving services to their customer with the best security. So, having in mind that they complement each other very well, and that for an acceptable effort you gain a lot, maybe it’s a good idea to consider implementation of both of them.

    To learn how to implement ISO 27001, see this free ISO 27001 Lead Implementer Online Course.

    Advisera Antonio Jose Segovia
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.