| Main Archive Page > Month Archives > security-basics archives |
RE: ISO 27001 mapping to PCI
From: Sheldon Malm <smalm_at_nospam>Date: Tue Feb 26 2008 - 18:35:19 GMT
To: "Craig Wright" <Craig.Wright@bdo.com.au>, "PCSC Information Services" <info@pcsage.biz>, "p1g" <killfactory@gmail.com>, "Jason P. Rusch" <saltynetguru@infosec-rusch.com>
I'm not going to get into a debate with you on this - simply stating
that the preparation for audits is very different than the execution of
audits. For the record, my working for a vendor in this space has
nothing to do with my opinion. I spent nearly a decade with a Fortune
500, and used the same approach very effectively on the customer side.
There is sufficient overlap in the preparation stages for different standards that it makes sense to tag atomic items (controls) if they are included in multiple standards for reuse. This is really no different than a platform like .NET making reusable services available to multiple programs. Where the controls are identical, it makes no sense to do them separately and at multiple times by multiple people simply because they fall into different, higher-order standards.
Cheers.
Sheldon Malm
Director
Security Research & Development
nCircle Network Security
Check out the VERT daily post
http://blog.ncircle.com/vert
-----Original Message-----
From: Craig Wright [mailto:Craig.Wright@bdo.com.au]
Sent: Tuesday, February 26, 2008 1:14 PM
To: Sheldon Malm; Craig Wright; PCSC Information Services; p1g; Jason P.
Rusch
Cc: security-basics@securityfocus.com
Subject: RE: ISO 27001 mapping to PCI
Well you are marketing a product So I would expect Such a response.
The reality is that this approach is BS. Any organisation that I have seen doing this Fails @ least one if not both.
Different systems have Separate requirements. You Can make an ISO 27001/2 ISMS for a PCI system -but it will not apply elsewhere and is more work then Completing each one at a time.
Craig (GSE-Compliance,G7799,GPCI...)
-----Original Message-----
From: "Sheldon Malm" <smalm@ncircle.com>
To: "Craig Wright" <Craig.Wright@bdo.com.au>; "PCSC Information
Services" <info@pcsage.biz>; "p1g" <killfactory@gmail.com>; "Jason P.
Rusch" <saltynetguru@infosec-rusch.com>
Cc: "security-basics@securityfocus.com"
<security-basics@securityfocus.com>
Sent: 27/02/08 2:56 AM
Subject: RE: ISO 27001 mapping to PCI
Absolutely disagree with your comments, Craig. The initial question is not about getting a single auditor to perform multiple assessments in one step; it's about preparing for multiple, recurring audits in the future by taking prose guidelines and standards and boiling them down to a list of controls that can be checked for. These controls can then be mapped to multiple standards to address each of the assessments when audits are taking place.
This approach is highly cost effective for businesses and is also the process used by any automated solution worth its salt (including the one from nCircle). There is absolutely nothing wrong with leveraging publicly available standards and mappings instead of re-inventing the wheel in house. As a matter of fact it's a best practice, and mitre has made fantastic progress in the Windows space with this kind of exercise for their CCE project.
Sheldon Malm
Director
Security Research & Development
nCircle Network Security
Check out the VERT daily post
http://blog.ncircle.com/vert
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Craig Wright
Sent: Monday, February 25, 2008 8:09 PM
To: 'PCSC Information Services'; p1g
Cc: Jason P. Rusch; security-basics@securityfocus.com
Subject: RE: ISO 27001 mapping to PCI
Except that ISO 27001 and PCI audits are not the same and can not be completed by the same people at the same time.
Unless the ISO 27001 accreditation is scoped to "only" systems that collect or process payment card data, then this is moot anyway.
This is looking at compliance the wrong way. It is a reverse of what should be considered.
Regards,
Craig Wright (GSE-Compliance)
Craig Wright
Manager of Information Systems
Direct : +61 2 9286 5497
Craig.Wright@bdo.com.au
+61 417 683 914
BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497 http://www.bdo.com.au/
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.
Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator_at_bdo.com.au.
BDO Kendalls is a national association of separate partnerships and entities.
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of PCSC Information Services
Sent: Tuesday, 26 February 2008 9:16 AM
To: p1g
Cc: Jason P. Rusch; security-basics@securityfocus.com
Subject: Re: ISO 27001 mapping to PCI
p1g,
I believe that the value of mapping these standards to each other allows for the qualification of the organization against multiple standards without requiring a duplication of efforts. Where standards match other standard's requirements an organization can count those steps as well. Measure twice, cut once.
Best,
Sean Swayze
On 24-Feb-08, at 10:58 PM, p1g wrote:
> What am I missing here? I probably sound real dumb, but why are we
> mapping standards to each other?
>
>
> On Wed, Feb 20, 2008 at 11:49 AM, Jason P. Rusch
> <saltynetguru@infosec-rusch.com> wrote:
>> Does anyone have in their possession such as a excel file that
>> directly maps PCI requirements to ISO 27001.
>>
>> I have several that map sp800-53 to Cobit to ISO 27001/27002, but
>> really need a mapping PCI to ISO 27001.
>>
>>
>> --
>>
>>
>> ---
>> Sincerely
>>
>> Jason P. Rusch, CISSP, CISM, CISA
>> Certified Information Security Consultant Wesley Chapel, FL 33543
>> saltynetguru@infosec-rusch.com www.infosec-rusch.com
>>
>> "There is no patch for stupidity"
>>
>> The information transmitted is intended only for the person or entity
>> to which it is addressed and may contain confidential and/or
>> privileged material. Any review, retransmission, dissemination or
>> other use of, or taking of any action in reliance upon, this
>> information by persons or entities other than the intended recipient
>> is prohibited. If you received this in error, please contact the
>> sender and delete the material from any computer.
>>
>
>
>
> --
> -p1g
> SnortCP, C|HFI, TNCP, TECP, NACP, A+
> ,,__
> o" )~ oink oink
> ' ' ' '
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- former White House cybersecurity czar Richard Clarke