If your organization is considering initiating a compliance process, it is very likely that for some PCI DSS immediately comes to mind and for others it might be ISO 27001. The objective for both standards is to secure and manage company information, but they do so in different ways and to different extents. But, the controls and the documentation for these standards are very similar.
What is ISO 27001?
It is an international standard that sets requirements for running and maintaining an Information Security Management System (ISMS). This standard is very general and can be applied to ANY organization. It is not prescriptive, which makes it very flexible for fitting in with your current security policy and organization. ISO 27001 is governed by the International Organization for Standardization and it is audited by certification associations. As a side note, ISO is derived from the Greek isos, meaning equal and is not an acronym, since it would be different for different languages.
And, what is PCI DSS?
This mandatory standard applies to an organization that handles, processes, transmits and/or stores credit card data, generally called card data. The compliance level is based on volume of transactions. Requirements and obligations are according to business nature. PCI DSS is governed by the PCI Security Standards Council (PCI SSC), which includes MasterCard, Visa, JCB, Discover and American Express. A PCI-DSS audit is performed by a Qualified Secur
ity Assessor (QSA), who must work for a company approved by the PCI SSC.
How do PCI DSS and ISO 27001 compare?
Both PCI DSS and ISO 27001 are organized in sets of requirements with annexes. PCI DSS has 12 sets of requirements, one annex and about 250 controls based on securing card data. For ISO 27001, there are 11 sets of requirements with one annex and 114 controls based on planning, implementing, running, monitoring, and improving an ISMS.
PCI DSS is widely available and free to download. On the other hand you have to pay to get hold of the ISO 27001 standard, which I personally don’t like .
So, which one is best for my company and where should I begin?
If you are starting from scratch and if your company is not a part of card data processing in any way, then ISO 27001 will be the way to start and build an ISMS. You need to design your information security policy based on the PDCA (Plan, Do, Check and Act) model to apply concrete risk handling with a proper scope.
If your organization is planning to handle card data, then PCI DSS it is, which was exactly the case in my career . Having proper scope of your card data environment with a solid information security policy is the way to start your path toward compliance. This to later be complemented with risk assessment, gap analysis along with different obligations and controls.
Should I have both?
Yes. If your company today is ISO 27001 compliant my educated guess is that you are already 50% done with the PCI DSS compliance process and both are a huge help in going for GDPR too.
Most of the controls and risk assessment methodology in ISO 27001 complement and support PCI DSS and both standards have requirements that are very easy to integrate. In a perfect world, your company will have both certifications, which will help you and your company achieve smooth and secure ISMS and operations.