One of the great challenges facing IT professionals is how to navigate through the sea of regulatory compliances, industry standards, and numerous security and IT operational best practice standards and frameworks.
A recent post on SearchSecurity.com by Richard Mackey did a great job of comparing the value of ISO 27002 to PCI DSS compliance specifically.
As you likely know, the PCI Data Security Standard is a set of 12 requirements, broken into several hundred sub-requirements, that were written by the PCI Security Standards Council on behalf of all of the major credit card companies. All organizations that store, transmit, or process payment cards are required to provide varied levels of proof of their compliance with the Standard.
ISO 27002, also referred to as ISO 17799, is a security standard of practice. As Mackey states, "it is a comprehensive list of security practices that can be applied -- in varying degrees -- to all organizations."
Mackey shares two specific benefits of applying a standard like ISO 27002 to a regulation like PCI-DSS. "First, it provides a framework that allows organizations to achieve their PCI security goals along with those from other sources, like industry or governmental regulations. Second, it provides guidance on how to fit some of PCI's governance and policy requirements into an organization's compliance program."
Conversely, Mackey states that one of the advantages a requirement like PCI DSS adds to the ISO framework is it helps organizations "define three of the most challenging aspects of ISO compliance: scope of compliance, data classification and data handling."
Mackey concludes by saying, "The beauty of using the ISO standard with specific regulations is that the regulations fill in the necessary details that the framework lacks while the framework provides structure to address multiple sets of requirements consistently. The two concepts work hand in hand and provide effectiveness, efficiency and auditability."
Where most organizations have multiple regulations to comply with and other internal pressures to adopt either ISO or ITIL-based frameworks, it makes sense for IT departments to adapt the strengths of each into cohesive, actionable plan that can be measured, not only for compliance, but the overall improvement in infrastructure performance, security and reliability it provides.
Contributed by Mark Tordoff
Comments