Chapter 10: Pci Dss And Iso27001 – PCI DSS: A Practical Guide to implementing and maintaining compliance, Third Edition

CHAPTER 10: PCI DSS AND ISO27001

The Payment Card Industry Data Security Standard (PCI DSS) isn’t dramatically different to the requirements of the Best Practice Security Standard – ISO27001, except that PCI doesn’t mention any of the prerequisites required for a management framework, e.g. management commitment and ongoing improvement plans, whereas ISO27001 leaves alone a lot of the detail around how controls are actually implemented. So, therefore, one could be forgiven for believing that MasterCard and Visa assumed PCI would be additional security requirements to sit on top of an already established information security management system (ISMS).

There is no getting away from the fact that this is good news for industry as a whole. Any new baseline security standard that helps measure the security of systems is good news. For example, making sure that firewalls are only passing traffic on accepted and approved ports, ensuring that servers are running only those services that really need to be live and validating that databases aren’t configured with vendor supplied defaults.

The problem is, like with any baseline standard, that it is only as good as the implementation and herein lays a dilemma. ISO27001 has deliberately moved away from specifying or dictating too many detailed controls (133 in ISO27001, but over 200 in PCI), as it did not want it to become a simple tick box exercise. ISO27001 stipulates that an entity should ensure any control to be implemented should reflect the level of risk (or vulnerability), that could cause unnecessary pain should it not be addressed.

PCI does necessitate conducting a formal risk assessment (see section 12.1.2), but how flexible would a certified third-party auditor be during the audits? Would he/she agree with the entity that the risks acceptable to one entity were deemed unacceptable to another (depending upon the risk appetite of the entities)?

PCI and ISO27001 – the comparisons

In contrast to the PCI framework, the ISO27001 Standard is more flexible in terms of scope, controls, compliance and enforcement. As an internationally recognised best practice standard, ISO27001 is designed to apply to a wide variety of entities across numerous industries. It is regarded as the de facto information security standard by many entities where information security is a strict requirement; although compliance is voluntary. Many entities that choose to certify to the Standard often do so for purposes of due diligence or partner confidence.

When properly applied, ISO27001 is based around a flow of information, which makes up what the Standard defines as a system or business process. The entity defines the systems to be certified and sets up an information security management system (ISMS) around the relevant area of business, which is then defined as the scope. Subsequently, the entity fully documents the scope, creates a detailed asset inventory and performs a formal risk assessment on those assets. The results of the risk assessment lead the entity to the control clauses of the Standard and they choose those that best address the risks to the environment. The selected controls are then documented in its statement of applicability (SOA) and mapped back to the risk assessment.

PCI DSS requirements or controls are mandatory – if an entity wants to comply with PCI DSS, then it must comply with every requirement laid out in the Standard. In contrast, ISO27001 controls are suggested controls, and each entity has the flexibility to decide which controls it wants to implement dependent upon the risk appetite of the entity.

Compared to ISO27001 requirements, PCI DSS controls are much more specific. This granularity should, in theory, make auditing of PCI DSS easier than ISO27001, but, conversely, the specific controls required for PCI DSS remove a certain amount of flexibility and could make compliance more difficult to achieve.

Figure 15 – PCI and ISO27001 characteristic table

Characteristic

PCI DSS

ISO27001

Implementation of controls

Mandatory

Based on risk assessment

Degree of granularity

High

Low

Degree of flexibility

Low

High

Management of systems

Low contribution

Considerable contribution

Analysis of the two standards shows that there are gaps between PCI DSS and ISO27001, but these gaps do not mean that an ISO27001 information security programme is unable to meet PCI DSS requirements or vice versa. What they do show is that whilst ISO27001 may have a similar type of control on the PCI-related system, the control is unlikely to have the granularity required by PCI DSS. Detailed planning when considering ISO27001 certification could allow an entity to meet both standards with a single implementation effort.

The two standards have very different compliance requirements. Generally, ISO27001 provides guidance to an entity in implementing and managing an information security programme and management system, whereas PCI DSS focuses on specific components of the implementation and status of ‘applicable’ controls, apart from what is regarded as ‘compensating controls’ i.e. existing controls can be used, providing there is risk justification.

Most entities which have implemented an ISO27001 information security management system do not have to invite external third parties to validate that they are operating within the realms of a compliant ISMS. However, anyone claiming to be compliant to ISO27001 now has to address all the requirements of the clauses 4-8 found in ISO27001, which define the information security management system i.e. risk assessment and methodology, audit schedule, effective measurements and SOA.

This effectively means that ISO27001 is now more focused on implementing controls based on risk, and ensuring that monitoring and improving the risks facing the business are improved, as opposed to simply stipulating which of these were ‘not applicable’ under the old Standard BS7799, or ISO17799/ISO27002. Therefore, irrespective of whether they are claiming to be compliant or certificated to ISO27001 (ISO17799/ISO27002) this is now a mandatory requirement; and therefore aligns itself more to PCI DSS.

In addition, whilst ISO27001 is more focused on control objectives, PCI DSS has a blend of control objectives and controls specific to the Standard. However, most PCI DSS requirements are covered by ISO27001 – only lacking specific implementation details in certain areas. Using ISO27001 as a means to meet compliance targets could be regarded as an appropriate methodology to meet requirements of the PCI framework. However, in order to attain PCI DSS compliance an entity’s ISMS must address the specific granular requirements and follow the PCI requirements exactly.

Once again, ISO27001 (A.15.3.1) overlaps with the well-defined audit regime for PCI DSS, with ISO27001 ‘Control A.15.2.2 – Technical compliance checking’ specifically requiring annual penetration tests to be conducted. In contrast to PCI DSS, additional mandatory requirements within ISO27001 ‘Compliance Section’ (A.15) also require entities to ensure ongoing compliance with appropriate legislative, regulative and contractual requirements. This effectively means that two security standards complement each other when it comes to audit and compliance.

Figure 16 – High level PCI to ISO27001 mapping table

From this simple illustration you can see that most of the PCI controls focus around the three ISO27001 sections (A.10, A.11 and A.12), which address the technical elements of data security: A.10 – Communications and operations management, dealing with all aspect of change control, anti- virus, back-up and monitoring; A.11 – Access control, dealing with all aspects of user ID management, network access, operating systems and remote working; and finally A.12 – Information systems acquisition, development and maintenance, dealing with all aspects of technical design specifications, input/output data validation, patch Management, cryptography and application development generally.

This however, confirms the view that less focus is given to ‘management aspects’ or, put another way, less time is spent on ensuring the ongoing improvement and management elements of a ISO27001 compliant ISMS (as you might expect) are required.

If a properly developed and implemented ISMS is in place; with full documentation and working processes, it can result in a comprehensive security management approach and will give visibility to the fact that the controls are in place and are being managed and measured. Provided the ISO27001 methodology is implemented correctly (clause sections) with the emphasis on specific details pertinent to both standards, this approach should meet all the relevant regulatory and legal requirements and prepare any entity for future compliance and regulatory challenges.

Whilst these important technical sections are dealt with more than adequately within PCI DSS, the ‘mandatory’ requirements of ISO27001 ISMS, namely the clause sections and A.5 – Security policy, A6 – Security entity (third parties), A13 – Security incident management/Crisis management, A14 – Business continuity and disaster recovery (BS25999) and A.15 – Audit and compliance are only referred to briefly within PCI DSS. However, at the same time, this does once again demonstrate the close relationship between the two Standards and, therefore, enforces the message that ISO27001 can help an entity achieve and manage a PCI DSS environment and vice versa but also underlines the original point that it appears that PCI DSS was designed to simply fit onto an existing ISO27001 based ISMS. In conclusion, PCI DSS is a great technical standard, but still needs an information security management system to manage, monitor and improve it!