This month's topic is about the value and differences between the ISO 17799 and PCI DSS information security standards.
I have been in many heated discussions with colleagues lately on if securing their organization should be their primary goal, or if regulatory compliance occupies all their resources and thus is now driving security. My thoughts on compliance are that it should be a way of measuring the effectiveness of established processes, and not in defining its requirements. As you dig just below the surface, you find that the ISO and PCI control sets are often pitched at different levels. There are overlap, subsets and disconnects between them and other surprises that require analysis and understanding of both. Although they both require security management, policies and procedures, network architecture, software architecture and other protective measures, they both have their distinct idiosyncrasies.
PCI DSS is required of certain market segments but is not international, nor accredited through the national bodies. It is a product of the credit card industry, and now "owned" through the PCI Security Standards Council, which allows VISA USA to manage the overall audit programs. As a standard, the ISO is the only internationally recognized information security standard. With PCI, because of the operating rules of the associations, conformance is required or you could face fines or operating restrictions. ISO standards are voluntary and are the choice of your organization, even if you have taken the time and effort to be compliant with them. The ISO is focused on establishing Control Objectives, and is more geared towards the management level. PCI incorporates a blend of Control Objectives and Controls and functions at a different level for the most part. Both of these standards are aiming for the same thing goal, the "best current practices" mantra.
In my professional opinion, a more comprehensive consideration would be to use both the ISO and PCI standards as part of an ISO 27001 ISMS guideline to conform with both standards through a certification process. An Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security. In a properly developed and implemented ISO 27001 ISMS you are required to identify all your relevant legal and regulatory requirements. A strong ISMS helps people understand the What, When, Why and Where questions, and gives visibility to the fact that the controls are in place, being managed, and provides measurement. The ISO standard should be used to formalize some proper security management processes that probably have not really existed in the past. Compliance may provide an illusion of security to those that do not understand the complexities of securing the digital business world, but it should not be the end goal.
There you have it. There is an upshot to the time we spend satisfying regulatory bodies. We are building trust with upper management in our security talents and delivery capabilities as a result of being on the boardroom agenda. Not a bad thing to have, right? The key is how do we capitalize on this when we have achieved our compliance objectives? It is critical that we recognize that every problem is an opportunity in disguise. If you monitor your environment and its controls, you can more easily demonstrate compliance with both standards.
To respond to this or previous newsletters or to inquire about an on-site
presentation, please feel free to call us at 508-995-4933 or email us at
Founder & Principal Consultant
We Manage Risk, So You Can Manage Your Business
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2009-11-07 Michael Desrosiers
Computers make it easier to do a lot of things, but most of the things they make it easier to do don't need to be done. (Andy Rooney)