ISO 27002 vs PCI DSS 3.0

Report
G
C
R
®
®
The Science of Compliance
Craig Isaacs
CEO, Unified Compliance Framework
The world's largest and most reviewed legal
framework.
2
G
C
R
Strict Adherence to a Standard
Will Leave You Exposed
3
Areas of Exposure: Comparison of
Standards to…
1. PCI
2. SOX
3. Healthcare
4. Banking
4
ISO 27002
238 Direct
Controls
5
PCI DSS 3.0
293 Direct
Controls
6
ISO 27002 vs PCI DSS 3.0:
Overlapping Controls
162 Unique
Controls
76
217 Unique
Controls
17%
Overlap
7
217 Unique
Controls
PCI DSS 3.0 Unique Controls
Sample of Unique Controls:
1. Establish and maintain a media inventory.
2. Test the system for buffer overflows.
3. Incorporate breach of the security of data incident
response notification into the incident response plan.
8
162 Unique
Controls
ISO 27002 Unique Controls
Sample of Unique Controls:
1. Separate systems that store or process restricted
data from those that do not by deploying Physical
access controls.
2. Define the executive policy, executive mission, and
executive vision of the continuity planning process.
3. Verify that the continuity plan includes purchasing
enough insurance.
9
“Sarbanes-Oxley” Isn’t One
Authority Document
1. Sarbanes-Oxley Act
(only 19 direct controls in audit, records
management, and monitoring)
2. COSO ERM
3. 17 CFR Parts 210, 240.
4. PCAOB Auditing Standards
5. Etc…
10
SOX Guidance
174
Direct
Controls
11
ISO 27002 vs SOX Group:
Overlapping Controls
162 Unique
Controls
136
38 Unique
Controls
10%
Overlap
12
ISO 27002 vs PCI DSS 3.0 vs SOX
ISO
133 Unique
Controls
PCI
67
202 Unique
Controls
9
29
15
121
Unique
Controls
SOX
13
121
Unique
Controls
Sarbanes-Oxley Unique Controls
Sample of Unique Controls:
1. Establish and maintain data processing integrity
through segregation of duties.
2. Assign the audit to impartial auditors.
3. Establish and maintain a compliance monitoring
policy and audit policy.
14
Comparison of Standards
1. NIST 800-53R4
2. ISO 27002
15
ISO 27002
238 Direct
Controls
16
NIST 800-53R4
721 Direct Controls
17
ISO 27002 vs NIST 800-53 R4
105 Unique 133
Controls
16%
Overlap
588 Unique Controls
18
SOX Guidance vs NIST 800-53 R4
130
Unique 44
Controls
5%
Overlap
677 Unique Controls
19
PCI DSS 3.0 vs NIST 800-53 R4
149 Unique
Controls 144
17%
Overlap
577 Unique Controls
20
Healthcare & Life Sciences vs. NIST
800-53 R4
21
NIST 800-53R4
721 Direct
Controls
22
Healthcare & Life Sciences
Guidance
1214 Direct Controls
23
NIST 800-53 R4 vs. Healthcare &
Life Sciences
357
Unique
Controls
364
23%
Overl
1214
Unique
Controls
24
Banking Guidance vs. ISO 27002
25
ISO 27002
238 Direct
Controls
26
Banking Guidance
935 Direct Controls
27
ISO 27002 vs. Banking Guidance
32
206
21%
Overlap
729
Unique
Controls
28
Recommendations
•
Reduce audit and compliance costs by properly
defining system scope and related control
requirements.
•
Leverage standards where overlaps exist.
•
Determine business case for implementing controls
without mandates.
•
Automate evidence gathering, compliance
correlation, and ongoing compliance review.
•
Audit once as much as possible.
29

similar documents