CALL US +1 (646) 759 9933

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences

If you are asking what are ISO 27001, PCI-DSS, and information security, now is the time to learn. First of all, I recommend that you read this article: What is ISO 27001?. Basically, there are many standards in information security, but two that have special relevance for their scope and for their international impact are ISO 27001 and PCI-DSS. In this article we will see a general description and structure of each one.

PCI-DSS or ISO 27001?

It is possible that many organizations have this question in mind, and the answer will obviously depend on the needs of each business. Anyway, let’s see them:

  • ISO 27001 is an international standard, with worldwide recognition, which lays down the requirements for the establishment of an information security management system. It applies to any type of organization, and their implementation and certification is optional, so it is not mandatory for a company.
  • PCI-DSS is a standard of data security for the credit card industry, and applies only to companies that process, store, or transmit credit card data. For these companies, compliance with the standard is obligatory, though depending on the volume of cards processed, different requirements or obligations may apply.

One of the more important things that ISO 27001 has, and PCI-DSS does not have, is the PDCA (Plan, Do, Check, Act), which is established in any management system based on ISO. Therefore, keep in mind that ISO 27001 is better for those organizations where there is already a management system, and that want to supplement it with the security of the information (or do not have a management system and want it to protect the information), while PCI-DSS is most suitable, and mandatory, for those organizations that work with credit cards.

Structure of PCI-DSS

PCI-DSS consists of 13 groups of controls (12 requirements + 1 annex), and more than 200 controls that are focused on the security of the data of credit cards:

  • Requirement 1: Install and maintain firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict Access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate Access to system components
  • Requirement 9: Restrict physical Access to cardholder data
  • Requirement 10: Track and monitor all Access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel
  • Requirement A.1: Shared hosting providers must protect the cardholder data environment

The content of this standard consists of 112 pages, is freely available, and can be consulted / downloaded from the official website of the PCI Security Standard Council. The document indicates the requirements and provides a guide to comply with them.

Similarities and differences

On the other hand, ISO 27001 consists of 11 clauses (starting at 0 and ending at 10) that are related with the management system, and also has 13 groups of controls and 114 generic security controls that can be applied to any type of organization. Read this article to get an overview of the security controls: An overview of ISO 27001:2013 Annex A. Many of these controls have similarities with PCI-DSS:

  • A.5 Information Security policies (is related to requirement 12 of PCI-DSS)
  • A.6 Organization of information security (is related to requirement 12 of PCI-DSS)
  • A.7 Human resource security (is related to requirement 12 of PCI-DSS)
  • A.8 Asset management (is related to requirement 12 of PCI-DSS)
  • A.9 Access control (is related to requirement 7 of PCI-DSS)
  • A.10 Cryptography (is related to requirement 4 of PCI-DSS)
  • A.11 Physical and environmental security (is related to requirement 9 of PCI-DSS)
  • A.12 Operations security (is related to requirements 1, 5, 10, and 11 of PCI-DSS)
  • A.13 Communications security (is related to requirement 4 of PCI-DSS)
  • A.14 System acquisition, development and maintenance (is related to requirement 6 of PCI-DSS)
  • A.15 Supplier relationships
  • A.16 Information security incident management
  • A.17 Information security aspects of business continuity management
  • A.18 Compliance

The content of this standard consists of 30 pages, and is available from the main page of ISO, but you need to pay for it. The document only indicates the requirements, but if you want to know how you can comply with them, another standard is necessary: ISO 27002, which is a code of best practices.

How to use them?

So, as you can see, there are many similarities between both standards, for example the continuous improvement of ISO 27001, i.e., the best general security controls of ISO 27002, and the best security controls regarding credit cards in PCI-DSS. There are many companies that are working with both standards using the advantages of both of them, and giving services to their customer with the best security. So, having in mind that they complement each other very well, and that for an acceptable effort you gain a lot, maybe it’s a good idea to consider implementation of both of them.

To learn how to implement ISO 27001, see this free ISO 27001 Lead Implementer Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

4 responses to “PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences”

  1. Hanuma Sateesh says:

    Like stage 1 and stage 2 audits in ISO standards are there any stages in PCIDSS certification

  2. Antonio Segovia says:

    Dear Hanuma, in PCI-DSS there is no stage 1 and stage 2 like ISO audits

  3. salaheddin shtewi says:

    regarding to certification, what we need to be certified against PCI DSS?

    • Antonio Segovia says:

      Basically your organization needs to comply with all requirements defined by PCI-DSS, and these requirements are referenced in the section “Structure of PCI-DSS” of this article, although you should see the standard for more detailed information of each requirement.

Leave a Reply

Your email address will not be published. Required fields are marked *

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera


Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.