RE: RE: ISO 27001 mapping to PCI

["Sheldon Malm" <smalm () ncircle com>]

You have it exactly right, imho. 


Sheldon Malm
Director
Security Research & Development
nCircle Network Security

Check out the VERT daily post
http://blog.ncircle.com/vert



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of evilwon12 () yahoo com
Sent: Wednesday, February 27, 2008 11:45 AM
To: security-basics () securityfocus com
Subject: Re: RE: ISO 27001 mapping to PCI

Hopefully there is just some miscommunication here.  I agree with Craig
that you just cannot map a control in SOX/HIPPA/ISO 27001 to a control
in PCI and be done with it.  If it was that simple, I'd have a lot more
free time to do things that I consider more interesting.


However, one can take a policy/standard/procedure for
SOX/HIPPA/etc...and ensure that it effectively covers the PCI
requirements as well (take having a security policy).  Thus, hopefully
having 1 policy/standard/procedure to encompass everything.   I
think/hope this is what Sheldon was talking about. 


Last, I agree with Craig that scope is vital to audits.  Who cares what
policies one has in place if the scope does not cover the right areas?
If you are only taking CC data through a web-based application, are not
storing any CC data, does a HR laptop really fall under the PCI scope?
Does that web-server fall under HIPPA?  


There is no "magic" mapping button.  Some things can be utilized across
multiple audits, but without a well defined scope, any audit is destined
for problems.  


I will conclude by stating that I have yet to see any two standards
(SOX, PCI, HIPPA, etc...) where there is a direct 1-1 mapping of
policies/procedures.  There has always something that was applicable
*only* to those machines that were defined as being in the scope of the
standard.