Integrating the PCI DSS and ISO 27001 Standards for Higher Level Information Security

Recently we have noticed a large number of our customers have been using our risk management software for both the ISO 27001 and PCI DSS standards. This trend started to pick up last summer and has dramatically increase at the beginning of this year, which makes sense, as both of the standards received a recent refresh. The ISO 27001:2013 revisions to the 2005 version was released in October last year and the PCI DSS 3.0 was released in November, but went into effect on January 1st, 2014.

Why do organizations want to comply with both standards?

The PCI DSS is geographically accepted in North America and Europe with a mandatory compliance requirement for all organizations or merchants, including e-commerce and retailers that process cardholder information from debit, credit, prepaid, e-purse, ATM and POS cards. All functioning levels of the organization associated with the payment card data are required to comply with all Data Security Standards, which includes a high level of system separation and very low degrees of flexibility.

The ISO 27001 is internationally recognized for information security management and the compliance is voluntary, however, the current trend indicates an increasing number of organizations are choosing to do business with companies who have the certification over those that don‘t. The entire organization is required to meet the standards for complete compliance, but higher levels of flexibility exist with the new revision.

The PCI DSS requirements can be viewed as a sub-section of the information security management system pertaining to cardholder data and thus aligned with the compliance of the ISO 27001 recommendations. The implementation of both the PCI DSS and ISO 27001 provides the organization with the support of multiple regulations through a unified framework optimized for data protection. The revision to the PCI DSS 3.0 includes increased security in relation to the networks and firewalls as well as the antivirus and malware protection. Physical security upgrades specifically restricting access to the stored sensitive data and authorization levels that can be immediately revoked. Regular testing of security systems and processes, such as penetration testing, data encryption, and response procedures in the event of a security breach are now mandatory. Maintaining a policy that addresses information security for all personnel, including annual risk assessments, maintaining information about which PCI DSS requirements are managed by each service provider and managed by the organization.

All of these enhanced security protocols are directly supported by the ISO 27001 recommendations and controls outlined in the ISO 27002. The news from this past holiday season regarding the security breaches of major retailers in the US and the recent demise of the once mighty Mt. Gox Bitcoin Exchange indicates the absolute need for the highest levels of security for data protection. The extra effort will be rewarded from the valued customers choosing to support your business based on your over protection of their personal data.

Risk Management Studio is a dynamic software application designed to simplify the risk management process in organizations of all types and sizes. We have successfully assisted our customers with the certification of both the PCI DSS and ISO 27001 standards through the use of RM Studio. You can request a free trial or free live product demonstration.

We are interested in your thoughts or ideas about the integration of PCI DSS with ISO 27001 as a single framework for information security risk management. Comment or send us an email, info@riskmanagementstudio.com.