'Re: RE: ISO 27001 mapping to PCI'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: RE: ISO 27001 mapping to PCI
From:       "W. Lee Schexnaider" <l.schex () gmail ! com>
Date:       2008-02-27 22:24:19
Message-ID: b8f0957a0802271424r90a8a09t8f414877eb2852e3 () mail ! gmail ! com
[Download RAW message or body]

evilwon12 said:

> I will conclude by stating that I have yet to see any two standards (SOX, PCI, \
> HIPPA, etc...) where there is a direct 1-1 mapping of policies/procedures.  There \
> has always something that was applicable *only* to those machines that were defined \
> as being in the scope of the standard.

Yes, this is correct.  One part of the work I do is attach a text
"extension' to a link between the section of a standard and the common
control statement.  The control statements tend to be written at a
high level. The extension is where we put details about the control in
the standard. But the linking to a common control set helps to produce
a cross-standard view of compliance for an organization.

Lee

On 27 Feb 2008 16:45:20 -0000,  <evilwon12@yahoo.com> wrote:
> Hopefully there is just some miscommunication here.  I agree with Craig that you \
> just cannot map a control in SOX/HIPPA/ISO 27001 to a control in PCI and be done \
> with it.  If it was that simple, I'd have a lot more free time to do things that I \
> consider more interesting. 
> 
> However, one can take a policy/standard/procedure for SOX/HIPPA/etc...and ensure \
> that it effectively covers the PCI requirements as well (take having a security \
> policy).  Thus, hopefully having 1 policy/standard/procedure to encompass \
> everything.   I think/hope this is what Sheldon was talking about. 
> 
> Last, I agree with Craig that scope is vital to audits.  Who cares what policies \
> one has in place if the scope does not cover the right areas?  If you are only \
> taking CC data through a web-based application, are not storing any CC data, does a \
> HR laptop really fall under the PCI scope?  Does that web-server fall under HIPPA? 
> 
> There is no "magic" mapping button.  Some things can be utilized across multiple \
> audits, but without a well defined scope, any audit is destined for problems. 
> 
> I will conclude by stating that I have yet to see any two standards (SOX, PCI, \
> HIPPA, etc...) where there is a direct 1-1 mapping of policies/procedures.  There \
> has always something that was applicable *only* to those machines that were defined \
> as being in the scope of the standard. 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic