The AI, Privacy and Security Agency

ISO-27001 (2013) Vs PCI 3-2-1

This table provides a loose mapping for those interested in the inter-play between ISO-27001 Controls and PCI 3-2-1. Clearly the scope of controls for 27K (2013) greatly exceeds PCI and as such offers an excellent framework within which to deliver PCI compliance

Control #ControlDSS Req. #Coverage 
A.10.1.1Policy on the use of cryptographic controls1.53Moderately
A.10.1.2Key management3.5, 3.65Fully
A.11.1.1Physical security perimeter9.14Mostly
A.11.1.2Physical entry controls9.15Fully
A.11.1.3Securing offices, rooms and facilities 0Not Addressed
A.11.1.4Protecting against external and environmental threats 0Not Addressed
A.11.1.5Working in secure areas 0Not Addressed
A.11.1.6Delivery and loading areas 0Not Addressed
A.11.2.1Equipment siting and protection 0Not Addressed
A.11.2.2Supporting utilities 0Not Addressed
A.11.2.3Cabling security9.1.21Minimally
A.11.2.4Equipment maintenance 0Not Addressed
A.11.2.5Removal of assets9.4, 9.65Fully
A.11.2.6Security of equipment and assets off-prem- ises9.5, 9.65Fully
A.11.2.7Secure disposal or reuse of equipment9.81Minimally
A.11.2.8Unattended user equipment 0Not Addressed
A.11.2.9Clear desk and clear screen policyVarious0Not Addressed
A.12.1.1Documented operating procedures 4Mostly
A.12.1.2Change management6.42Partially
A.12.1.3Capacity management 0Not Addressed
A.12.1.4Separation of development, testing and operational environments6.45Fully
A.12.2.1Controls against malware5.14Mostly
A.12.3.1Information backup9.51Minimally
A.12.4.1Event logging10.25Fully
A.12.4.2Protection of log information10.55Fully
A.12.4.3Administrator and operator logs10.2, 10.6, 10.75Fully
A.12.4.4Clock synchronisation10.45Fully
A.12.5.1Installation of software on operational systems 0Not Addressed
A.12.6.1Management of technical vulnerabilities6.15Fully
A.12.6.2Restrictions on software installation 0Not Addressed
A.12.7.1Information systems audit controls 0Not Addressed
A.13.1.1Network controls14Mostly
A.13.1.2Security of network services1.13Moderately
A.13.1.3Segregation in networks1.2, 1.32Partially
A.13.2.1Information transfer policies and procedures12.81Minimally
A.13.2.2Agreements on information transfer12.81Minimally
A.13.2.3Electronic messaging4.23Moderately
A.13.2.4Confidentiality or nondisclosure agreements12.81Minimally
A.14.1.1Information security requirements analysis and specification2.22Partially
A.14.1.2Securing application services on public networks4.13Moderately
A.14.1.3Protecting application services transactions4.11Minimally
A.14.2.1Secure development policy2.2, 6.35Fully
A.14.2.2System change control procedures6.45Fully
A.14.2.3Technical review of applications after operating platform changes6.45Fully
A.14.2.4Restrictions on changes to software packages6.41Minimally
A.14.2.5Secure system engineering principles2.2, 6.35Fully
A.14.2.6Secure development environment 0Not Addressed
A.14.2.7Outsourced development2.2, 6.3, 12.82Partially
A.14.2.8System security testing113Moderately
A.14.2.9System acceptance testing 0Not Addressed
A.14.3.1Protection of test data 1Minimally
A.15.1.1Information security policy for supplier relationships12.8.32Partially
A.15.1.2Addressing security within supplier agreements12.8, 12.92Partially
A.15.1.3Information and communication technology supply chain12.8, 12.92Partially
A.15.2.1Monitoring and review of supplier services 0Not Addressed
A.15.2.2Managing changes to supplier services 0Not Addressed
A.16.1.1Responsibilities and procedures12.7, 12.105Fully
A.16.1.2Reporting information security events12.10.2Partially
A.16.1.3Reporting information security weaknesses12.10.1Minimally
A.16.1.4Assessment of and decision on information security events12.10.1Minimally
A.16.1.5Response to information security incidents12.10.1Minimally
A.16.1.6Learning from information security incidents12.10.5Fully
A.16.1.7Collection of evidence12.10.1Minimally
A.17.1.1Planning information security continuity12.10.1Minimally
A.17.1.2Implementing information security continuity12.10.1Minimally
A.17.1.3Verify, review and evaluate information security continuity12.10.1Minimally
A.17.2.1Availability of information processing facilities 0Not Addressed
A.18.1.1Identification of applicable legislation and contractual requirements12.10.5Fully
A.18.1.2Intellectual property rights 0Not Addressed
A.18.1.3Protection of records 3Moderately
A.18.1.4Privacy and protection of personally identifiable information 0Not Addressed
A.18.1.5Regulation of cryptographic controls4, 12.81Minimally
A.18.2.1Independent review of information securityAll4Mostly
A.18.2.2Compliance with security policies and standardsAll2Partially
A.18.2.3Technical compliance reviewAll2Partially
A.5.1.1Policies for information security1.5, 12.15Fully
A.5.1.2Review of the policies for information security1.5, 12.1.5Fully
A.6.1.1Information security roles and responsibilities12.55Fully
A.6.1.2Segregation of duties3.3, 7.1, 7.2, 7.33Moderately
A.6.1.3Contact with authorities12.10.13Moderately
A.6.1.4Contact with special interest groups6.1, 6.31Minimally
A.6.1.5Information security in project management6.31Minimally
A.6.2.1Mobile device policy1.4, 4, 11.1, 12.32Partially
A.6.2.2Teleworking1.4, 4, 11.1, 12.32Minimally
A.7.1.1Screening12.75Fully
A.7.1.2Terms and conditions of employment 0Not Addressed
A.7.2.1Management responsibilities12.12Partially
A.7.2.2Information security awareness, education and training12.62Partially
A.7.2.3Disciplinary process 0Not Addressed
A.7.3.1Termination or change of employment responsibilities 0Not Addressed
A.8.1.1Inventory of assets2.42Partially
A.8.1.2Ownership of assets 0Not Addressed
A.8.1.3Acceptable use of assets12.33Moderately
A.8.1.4Return of assets 0Not Addressed
A.8.2.1Classification of information 0Not Addressed
A.8.2.2Labelling of information9.61Minimally
A.8.2.3Handling of assets9.5, 9.6, 9.7, 9.81Minimally
A.8.3.1Management of removable media9.63Moderately
A.8.3.2Disposal of media9.85Fully
A.8.3.3Physical media transfer9.6, 9.75Fully
A.9.1.1Access control policy7.15Fully
A.9.1.2Access to networks and network services7.1, 7.25Fully
A.9.2.1User registration and de-registration7.2, 84Mostly
A.9.2.2User access provisioning7.2, 84Mostly
A.9.2.3Management of privileged access rights7.2, 84Mostly
A.9.2.4Management of secret authentication information of users 0Not Addressed
A.9.2.5Review of user access rights 0Not Addressed
A.9.2.6Removal or adjustment of access rights7.2,1Minimally
A.9.3.1Use of secret authentication information8.45Fully
A.9.4.1Information access restriction7.15Fully
A.9.4.2Secure log-on procedures7.1, 8.25Fully
A.9.4.3Password management system8.24Mostly
A.9.4.4Use of privileged utility programs 0Not Addressed
A.9.4.5Access control to program source code6, 7.15Fully

Posted

in

by

admin

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *