CALL US +44 1502 449001

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification

ISO 27001, which establishes an Information Security Management System (ISMS), is related to information security in general. PCI-DSS is also related to information security, but its focus is in the credit card industry. The main question of many companies is: Can we use them together? Are they compatible? Let’s see!

By the way, I recommend that you read my first article about PCI-DSS and ISO 27001: PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences.


Yes, we can implement ISO 27001 and PCI-DSS in the same organization without any problem.

Integrating both standards can be a great point of differentiation, because on the one hand we have a management system, and on the other hand we have generic security controls, and also we can have specific controls for credit card environments. In addition, since many controls of both standards are similar, the integration will be simple.

Therefore, if you work with credit card data and also want to have a management system to plan, implement, review and improve security controls, then it can be a good opportunity for your organization to work with PCI-DSS and ISO 27001 together.

Certification schemes

One important thing after the implementation of these standards is the certification of them. The certification schemes of the two standards are completely different. ISO 27001 depends on the International Standard Organization (ISO, composed of members from all over the world), and it is audited by certification bodies that have to be accredited by national accreditation bodies. On the other hand, the auditor must to be qualified by each certification body.

In the case of PCI-DSS, there is the central forum PCI Security Standards Council (PCI-SSC), which comprises the five most important payment process entities: Visa, MasterCard, American Express, Discover Financial Services, and JCB International. But, in this case, PCI-SSC does not manage the compliance with the PCI-DSS standard; it must be done by each brand directly. This means that there is an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or a Self-Assessment Questionnaire (SAQ) for companies handling smaller values. And, it’s important to note here: To be a QSA you must to work with a company approved by PCI-SSC.

What comes first?

If there is nothing implemented in your organization, it is better to start with the Management System of ISO 27001, because with this you can manage both standards with an integrated system in a single way. So, in this case:

  1. Define the scope of the ISO 27001 ISMS.
  2. Implement the PDCA cycle and the Risk Assessment (the Risk Assessment is a common requisite between ISO 27001 and PCI-DSS).
  3. Implement the Risk Treatment (with the generic security controls).
  4. Implement the security controls related to credit cards.

Remember the structure of the controls of Annex A of ISO 27001 and the structure of PCI-DSS, which I discussed in the article linked at the beginning of this article.

Here it is also important to integrate the scope of both standards, so it is recommended that when you define the scope of ISO 27001, you keep in mind all systems and processes related to the credit card environment.

In another way, I think that if your organization has another ISO management system (for example, ISO 9001), you could also use the PDCA cycle for the management of the security controls of PCI-DSS.

Since PCI-DSS and ISO 27001 have similar security controls, you can integrate them in your company with the basis of the PDCA cycle, which will give your organization a continuous improvement model, and also help your organization to manage generic security controls, including specific security controls for credit cards.

To learn how to implement ISO 27001, see this free ISO 27001 Lead Implementer Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera


Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.