CHAPTER 11: THE PCI DSS AND ISO/IEC 27001

ISO/IEC 27001 is the international information security management standard that more and more organisations are using to ensure that their information security management meets the data protection and compliance requirements of a wide variety of legislation, including EU Data Protection Acts and Privacy Directives, HIPAA, the GLBA and others.

While the PCI DSS was not written to map specifically to ISO 27001 or to any other existing framework, it sits clearly within the ISO 27001 framework, and organisations that have implemented an ISO 27001 information security management system (ISMS) should be able, with minor additional work, to also demonstrate their conformance with the PCI DSS. The individual controls set out in detail inside the PCI DSS can be mapped to the controls and clauses of ISO 27001 (primarily to Annex A, the list of information security controls).

It certainly makes sense for any organisation that is pursuing either ISO 27001 or PCI DSS compliance, and has both payment card data and other confidential data (whether personally identifiable information – sometimes known as ‘PID’) or other commercial information to protect, to tackle the requirements of the PCI DSS from within the ISO 27001 framework.