ISO 27001 VS. PCI DSS

What is ISO 27001?

ISO/IEC 27001 is the internationally recognized framework for an Information Security Management System (ISMS). ISMS is a systematic approach to manage sensitive information of the organization in order to reduce the risk of sensitive information. ISMS includes people, processes and IT systems by applying a risk management process. This standard provides requirements for establishing, implementing, maintaining and continually improving an ISMS. Further, this standard can apply to any organization in any sector and the size of the organization is not considering in this standard. And also, the latest version of this standard is ISO/IEC 27001:2013.

Structure of ISO/IEC 27001:2013 standard

ISO/IEC 27001:2013 has the following sections;

Controls of ISO/IEC 27001:2013

The controls are listed below;

What is PCI DSS?

Then Payment Card Industry Data Security Standard (PCI DSS) an information security standard that was implemented to reduce card related frauds by protecting cardholder data. This Data Security Standard (DSS) was developed and maintained by the Payment Card Industry Security Standards Council (PCI SSC). Further PCI SSC was created jointly by four major credit-card companies such as Visa, MasterCard, Discover, and American Express. In PCI DSS, there are 06 main goals that need to achieve in order to obtain the PCI DSS compliant certification. However, there are 12 requirements inside those 06 goals which required to fulfill in order to gain the certification. Further, the latest version of this standard is PCI DSS v3.2.1.

PCI DSS has four levels which each organization needs to fall into one of those categories.

1. Level 1: Organizations that process more than 6 million transactions annually.
2. Level 2: Organizations that process between 1 to 6 million transactions annually.
3. Level 3: Organizations that process between 20,000 to 1 million digital transactions annually.
4. Level 4: Organizations that process less than 20,000 digital transactions or up to 1 million transactions.

Goals and Requirements of PCI DSS

Below mentioned are the 06 goals and 12 requirements which need to fulfill in order to obtain PCI DSS certification;

High-level mapping of PCI DSS vs. ISO 27001

Isaca.org. (2020). Comparison of PCI DSS and ISO/IEC 27001 Standards. [online] Available at: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-1/comparison-of-pci-dss-and-isoiec-27001-standards [Accessed 2 Feb. 2020].

ISO 27001 can be the beginning point for PCI DSS implementation in an organization.

Infosecurityeurope.com. (2020). [online] Available at: https://www.infosecurityeurope.com/__novadocuments/21602 [Accessed 2 Feb. 2020].