PCI DSS v3.2 Vs ISO 27001 2013 - 160729

Control #
A.5 Information Security Policies
A.5.1 Management direction for information security

Objective: To provide management direction and support for information security in accordance with bus
A.5.1.1
A.5.1.2
A.6 Organization of Information Security
A.6.1 Internal Organization

Objective: To establish a management framework to initiate and control the implementation and operatio
A.6.1.1
A.6.1.2
A.6.1.3
A.6.1.4
A.6.1.4
A.6.1.5
A.6.2 Mobile Devices and Teleworking

Objective: To ensure the security of teleworking and use of mobile devices.
A.6.2.1
A.6.2.2
A.7 Human Resource Security

A.7.1 Prior to Employment
Objective: To ensure that employees and contractors understand their responsibilities and are suitable fo
A.7.1.1
A.7.1.2
A.7.2 During Employment

Objective: To ensure that employees and contractors are aware of and fulfil their information security re
A.7.2.1
A.7.2.2
A.7.2.3
A.7.3 Termination and Change of Employment

Objective: To protect the organization’s interests as part of the process of changing or terminating emplo
A.7.3.1
A.8 Asset Management
A.8.1 Responsibility for Assets

Objective: To identify organizational assets and define appropriate protection responsibilities.
A.8.1.1
A.8.1.2
A.8.1.3
A.8.1.4
A.8.1.4
A.8.2 Information Classification

Objective: To ensure that information receives an appropriate level of protection in accordance with its im
A.8.2.1
A.8.2.2
A.8.2.3
A.8.3 Media Handling
Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored
A.8.3.1
A.8.3.2
A.8.3.3
A.8.3.3
A.9 Access Control
A.9.1 Business Requirements of Access Control

Objective: To limit access to information and information processing facilities.
A.9.1.1
A.9.1.2
A.9.2 User Access Management
Objective: To ensure authorized user access and to prevent unauthorized access to systems and services
A.9.2.1
A.9.2.2
A.9.2.3
A.9.2.3
A.9.2.4
A.9.2.5
A.9.2.6
A.9.3 User Responsibilities

Objective: To make users accountable for safeguarding their authentication information.
A.9.3.1
A.9.4 System and Application Access Control
Objective: To prevent unauthorized access to systems and applications.
A.9.4.1
A.9.4.2
A.9.4.2
A.9.4.3
A.9.4.4
A.9.4.5
A.10 Cryptography
A.10.1 Cryptographic Controls

Objective: To ensure proper and effective use of cryptography to protect the confidentiality, authenticity
A.10.1.1
A.10.1.2
A.11 Physical and Environmental Security
A.11.1 Secure Areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s inform
A.11.1.1
A.11.1.2
A.11.1.3
A.11.1.4
A.11.1.5
A.11.1.6
A.11.2 Equipment
Objective: To prevent loss, damage, theft or compromise of assets and interruption to the organization’s
A.11.2.1
A.11.2.2
A.11.2.3
A.11.2.4
A.11.2.5
A.11.2.6
A.11.2.7
A.11.2.8
A.11.2.9
A.l2 Operations Security

A.12.1 Operational Procedures and Responsibilities
Objective: To ensure correct and secure operations of information processing facilities.
A.12.1.1
A.12.1.2
A.12.1.3
A.12.1.4
A.12.1.4
A.12.2 Protection from Malware

Objective: To ensure that information and information processing facilities are protected against malwar
A.12.2.1
A.12.3 Backup
Objective: To protect against loss of data.
A.12.3.1
A.12.4 Logging and Monitoring
Objective: To record events and generate evidence.
A.12.4.1
A.12.4.2
A.12.4.2
A.12.4.3
A.12.4.4
A.12.5 Control of Operational Software

Objective: To ensure the integrity of operational systems.
A.12.5.1
A.12.6 Technical Vulnerability Management

Objective: To prevent exploitation of technical vulnerabilities.
A.12.6.1
A.12.6.2
A.12.7 Information Systems Audit Considerations

Objective: To minimise the impact of audit activities on operational systems.
A.12.7.1
A.13 Communications security

A.13.1 Network Security Management
Objective: To ensure the protection of information in networks and its supporting information processing
A.13.1.1
A.13.1.2
A.13.1.3
A.13.2 Information Transfer

Objective: To maintain the security of information transferred within an organization and with any extern
A.13.2.1
A.13.2.1
A.13.2.2
A.13.2.3
A.13.2.4
A.14 System Acquisition, Development and Maintenance

A.14.1 Security Requirements of Information Systems
Objective: To ensure that information security is an integral part of information systems across the entire
A.14.1.1
A.14.1.2
A.14.1.3
A.14.1.3
A.14.2 Security in Development and Support Processes

Objective: To ensure that information security is designed and implemented within the development lifec
A.14.2.1
A.14.2.2
A.14.2.3
A.14.2.4
A.14.2.5
A.14.2.5
A.14.2.6
A.14.2.7
A.14.2.8
A.14.2.9
A.14.3 Test Data
Objective: To ensure the protection of data used for testing.
A.14.3.1
A.l 5 Supplier Relationships
A.l5.1 Information Security in Supplier Relationships

Objective: To ensure protection of the organization's assets that is accessible by suppliers.
A.15.1.1
A.15.1.1
A.15.1.2
A.15.1.3
A.l5.2 Supplier Service Delivery Management

Objective: To maintain an agreed level of information security and service delivery in line with supplier a
A.15.2.1
A.15.2.2
A.16 Information Security Incident Management
A.16.1 Management of information Security Incidents and Improvements

Objective: To ensure a consistent and effective approach to the management of information security inc
A.16.1.1
A.16.1.2
A.16.1.3
A.16.1.4
A.16.1.4
A.16.1.5
A.16.1.6
A.16.1.7
A.17 Information Security Aspects of Business Continuity Management
A.17.1 Information Security Continuity

Objective: Information security continuity shall be embedded in the organization’s business continuity ma
A.17.1.1
A.17.1.2
A.17.1.3
A.17.2 Redundancies
Objective: To ensure availability of information processing facilities.
A.17.2.1
A.18 Compliance
A.18.1 Compliance with Legal and Contractual Requirements
Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to informat
A.18.1.1
A.18.1.2
A.18.1.3
A.18.1.4
A.18.1.5
A.18.2 Information Security Reviews
Objective: To ensure that information security is implemented and operated in accordance with the orga
A.18.2.1
A.18.2.2
A.18.2.2
A.18.2.3
Control
rity
t for information security in accordance with business requirements and relevant laws and regulations.
Policies for information security
Review of the policies for information security
iate and control the implementation and operation of information security within the organization.
Information security roles and responsibilities
Segregation of duties
Contact with authorities
Contact with special interest groups

Contact with special interest groups
Information security in project management
e of mobile devices.
Mobile device policy
Teleworking
derstand their responsibilities and are suitable for the roles for which they are considered.
Screening
Terms and conditions of employment
e aware of and fulfil their information security responsibilities.
Management responsibilities
Information security awareness, education and training
Disciplinary process
of the process of changing or terminating employment.
Termination or change of employment responsibilities
ppropriate protection responsibilities.
Inventory of assets
Ownership of assets
Acceptable use of assets
Return of assets
Return of assets
priate level of protection in accordance with its importance to the organization.
Classification of information
Labelling of information
Handling of assets
ion, removal or destruction of information stored on media.
Management of removable media
Disposal of media
Physical media transfer

Physical media transfer
n processing facilities.
Access control policy
Access to networks and network services
ent unauthorized access to systems and services.
User registration and de-registration
User access provisioning
Management of privileged access rights

Management of privileged access rights
Management of secret authentication information of users
Review of user access rights
Removal or adjustment of access rights
their authentication information.
Use of secret authentication information
nd applications.
Information access restriction
Secure log-on procedures

Secure log-on procedures
Password management system
Use of privileged utility programs
Access control to program source code
graphy to protect the confidentiality, authenticity and/or integrity of information.
Policy on the use of cryptographic controls
Key management
mage and interference to the organization’s information and information processing facilities.
Physical security perimeter
Physical entry controls
Securing offices, rooms and facilities
Protecting against external and environmental threats
Working in secure areas
Delivery and loading areas
e of assets and interruption to the organization’s operations.
Equipment siting and protection
Supporting utilities
Cabling security
Equipment maintenance
Removal of assets
Security of equipment and assets off-premises
Secure disposal or reuse of equipment
Unattended user equipment
Clear desk and clear screen policy
es
formation processing facilities.
Documented operating procedures
Change management
Capacity management
Separation of development, testing and operational environments

Separation of development, testing and operational environments
rocessing facilities are protected against malware.
Controls against malware
Information backup
Event logging
Protection of log information

Protection of log information
Administrator and operator logs
Clock synchronisation
s.
Installation of software on operational systems
ities.
Management of technical vulnerabilities
Restrictions on software installation
operational systems.
Information systems audit controls
tworks and its supporting information processing facilities.
Network controls
Security of network services
Segregation in networks
erred within an organization and with any external entity.
Information transfer policies and procedures

Information transfer policies and procedures
Agreements on information transfer
Electronic messaging
Confidentiality or nondisclosure agreements
nce
tems
gral part of information systems across the entire lifecycle. This also includes the requirements for information systems whic
Information security requirements analysis and specification
Securing application services on public networks
Protecting application services transactions

Protecting application services transactions
esses
ed and implemented within the development lifecycle of information systems.
Secure development policy
System change control procedures
Technical review of applications after operating platform changes
Restrictions on changes to software packages
Secure system engineering principles

Secure system engineering principles
Secure development environment
Outsourced development
System security testing
System acceptance testing
ting.
Protection of test data
ips
ets that is accessible by suppliers.
Information security policy for supplier relationships

Information security policy for supplier relationships
Addressing security within supplier agreements
Information and communication technology supply chain
curity and service delivery in line with supplier agreements.
Monitoring and review of supplier services
Managing changes to supplier services
ents and Improvements

h to the management of information security incidents, including communication on security events and weaknesses.
Responsibilities and procedures
Reporting information security events
Reporting information security weaknesses
Assessment of and decision on information security events

Assessment of and decision on information security events
Response to information security incidents
Learning from information security incidents
Collection of evidence
nuity Management
dded in the organization’s business continuity management systems.
Planning information security continuity
Implementing information security continuity
Verify, review and evaluate information security continuity

ng facilities.
Availability of information processing facilities
quirements
ory or contractual obligations related to information security and of any security requirements.
Identification of applicable legislation and contractual requirements
Intellectual property rights
Protection of records
Privacy and protection of personally identifiable information
Regulation of cryptographic controls
ented and operated in accordance with the organizational policies and procedures.
Independent review of information security
Compliance with security policies and standards

Compliance with security policies and standards
Technical compliance review

Control Description
evant laws and regulations.

Control
A set of policies for information security shall be defined, approved by management, published and
communicated to employees and relevant external parties.
Control
The policies for information security shall be reviewed at planned intervals or if significant changes
occur to ensure their continuing suitability, adequacy and effectiveness.
within the organization.

Control
All information security responsibilities shall be defined and allocated.
Control
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for
unauthorized or unintentional modification or misuse of the organization’s assets.
Control
Appropriate contacts with relevant authorities shall be maintained.
Control
Appropriate contacts with special interest groups or other specialist security forums and
professional associations shall be maintained.
Control
Information security shall be addressed in project management, regardless of the type of the
project.
Control
A policy and supporting security measures shall be adopted to manage the risks introduced by
using mobile devices.
Control
A policy and supporting security measures shall be implemented to protect information accessed,
processed or stored at teleworking sites.
are considered.
Control
Background verification checks on all candidates for employment shall be carried out in accordance
with relevant laws, regulations and ethics and shall be proportional to the business requirements,
the classification of the information to be accessed and the perceived risks.
Control
The contractual agreements with employees and contractors shall state their and the organization’s
responsibilities for information security.
Control
Management shall require all employees and contractors to apply information security in
accordance with the established policies and procedures of the organization.
Control
All employees of the organization and, where relevant, contractors shall receive appropriate
awareness education and training and regular updates in organizational policies and procedures, as
relevant for their job function.
Control
There shall be a formal and communicated disciplinary process in place to take action against
employees who have committed an information security breach.
Control
Information security responsibilities and duties that remain valid after termination or change of
employment shall be defined, communicated to the employee or contractor and enforced.
Control
Information, other assets associated with information and information processing facilities shall be
identified and an inventory of these assets shall be drawn up and maintained.
Control
Assets maintained in the inventory shall be owned.
Control
Rules for the acceptable use of information and of assets associated with information and
information processing facilities shall be identified, documented and implemented.
Control
All employees and external party users shall return all of the organizational assets in their
possession upon termination of their employment, contract or agreement.
on.
Control
Information shall be classified in terms of legal requirements, value, criticality and sensitivity to
unauthorised disclosure or modification.
Control
An appropriate set of procedures for information labelling shall be developed and implemented in
accordance with the information classification scheme adopted by the organization.
Control
Procedures for handling assets shall be developed and implemented in accordance with the
information classification scheme adopted by the organization.
Control
Procedures shall be implemented for the management of removable media in accordance with the
classification scheme adopted by the organization.
Control
Media shall be disposed of securely when no longer required, using formal procedures.
Control
Media containing information shall be protected against unauthorized access, misuse or corruption
during transportation.
Control
An access control policy shall be established, documented and reviewed based on business and
information security requirements.
Control
Users shall only be provided with access to the network and network services that they have been
specifically authorized to use.
Control
A formal user registration and de-registration process shall be implemented to enable assignment
of access rights.
Control
A formal user access provisioning process shall be implemented to assign or revoke access rights
for all user types to all systems and services.
Control
The allocation and use of privileged access rights shall be restricted and controlled.
Control
The allocation of secret authentication information shall be controlled through a formal
management process.
Control
Asset owners shall review users’ access rights at regular intervals.
Control
The access rights of all employees and external party users to information and information
processing facilities shall be removed upon termination of their employment, contract or
agreement, or adjusted upon change.
Control
Users shall be required to follow the organization's practices in the use of secret authentication
information.
Control
Access to information and application system functions shall be restricted in accordance with the
access control policy.
Control
Where required by the access control policy, access to systems and applications shall be controlled
by a secure log-on procedure.
Control
Password management systems shall be interactive and shall ensure quality passwords.
Control
The use of utility programs that might be capable of overriding system and application controls
shall be restricted and tightly controlled.
Control
Access to program source code shall be restricted.
tion.
Control
A policy on the use of cryptographic controls for protection of information shall be developed and
implemented.
Control
A policy on the use, protection and lifetime of cryptographic keys shall be developed and
implemented through their whole lifecycle.
cessing facilities.
Control
Security perimeters shall be defined and used to protect areas that contain either sensitive or
critical information and information processing facilities.
Control
Secure areas shall be protected by appropriate entry controls to ensure that only authorized
personnel are allowed access.
Control
Physical security for offices, rooms and facilities shall be designed and applied.
Control
Physical protection against natural disasters, malicious attack or accidents shall be designed and
applied.
Control
Procedures for working in secure areas shall be designed and applied.
Control
Access points such as delivery and loading areas and other points where unauthorized persons
could enter the premises shall be controlled and, if possible, isolated from information processing
facilities to avoid unauthorized access.
Control
Equipment shall be sited and protected to reduce the risks from environmental threats and
hazards, and opportunities for unauthorized access.
Control
Equipment shall be protected from power failures and other disruptions caused by failures in
supporting utilities.
Control
Power and telecommunications cabling carrying data or supporting information services shall be
protected from interception, interference or damage.
Control
Equipment shall be correctly maintained to ensure its continued availability and integrity.
Control
Equipment, information or software shall not be taken off-site without prior authorization.
Control
Security shall be applied to off-site assets taking into account the different risks of working outside
the organization’s premises.
Control
All items of equipment containing storage media shall be verified to ensure that any sensitive data
and licensed software has been removed or securely overwritten prior to disposal or re-use.
Control
Users shall ensure that unattended equipment has appropriate protection.
Control
A clear desk policy for papers and removable storage media and a clear screen policy for
information processing facilities shall be adopted.
Control
Operating procedures shall be documented and made available to all users who need them.
Control
Changes to the organization, business processes, information processing facilities and systems that
affect information security shall be controlled.
Control
The use of resources shall be monitored, tuned and projections made of future capacity
requirements to ensure the required system performance.
Control
Development, testing, and operational environments shall be separated to reduce the risks of
unauthorized access or changes to the operational environment.
Control
Detection, prevention and recovery controls to protect against malware shall be implemented,
combined with appropriate user awareness.
Control
Backup copies of information, software and system images shall be taken and tested regularly in
accordance with an agreed backup policy.
Control
Event logs recording user activities, exceptions, faults and information security events shall be
produced, kept and regularly reviewed.
Control
Logging facilities and log information shall be protected against tampering and unauthorized
access.
Control
System administrator and system operator activities shall be logged and the logs protected and
regularly reviewed.
Control
The clocks of all relevant information processing systems within an organization or security domain
shall be synchronised to a single reference time source.
Control
Procedures shall be implemented to control the installation of software on operational systems.
Control
Information about technical vulnerabilities of information systems being used shall be obtained in a
timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate
measures taken to address the associated risk.
Control
Rules governing the installation of software by users shall be established and implemented.
Control
Audit requirements and activities involving verification of operational systems shall be carefully
planned and agreed to minimise disruptions to business processes.
Control
Networks shall be managed and controlled to protect information in systems and applications.
Control
Security mechanisms, service levels and management requirements of all network services shall be
identified and included in network services agreements, whether these services are provided in-
house or outsourced.
Control
Groups of information services, users and information systems shall be segregated on networks.
Control
Formal transfer policies, procedures and controls shall be in place to protect the transfer of
information through the use of all types of communication facilities.
Control
Agreements shall address the secure transfer of business information between the organization
and external parties.
Control
Information involved in electronic messaging shall be appropriately protected.
Control
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs
for the protection of information shall be identified, regularly reviewed and documented.
s the requirements for information systems which provide services over public networks.
Control
The information security related requirements shall be included in the requirements for new
information systems or enhancements to existing information systems.
Control
Information involved in application services passing over public networks shall be protected from
fraudulent activity, contract dispute and unauthorized disclosure and modification.
Control
Information involved in application service transactions shall be protected to prevent incomplete
transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized
message duplication or replay.
s.
Control
Rules for the development of software and systems shall be established and applied to
developments within the organization.
Control
Changes to systems within the development lifecycle shall be controlled by the use of formal
change control procedures.
Control
When operating platforms are changed, business critical applications shall be reviewed and tested
to ensure there is no adverse impact on organizational operations or security.
Control
Modifications to software packages shall be discouraged, limited to necessary changes and all
changes shall be strictly controlled.
Control
Principles for engineering secure systems shall be established, documented, maintained and
applied to any information system implementation efforts.
Control
Organizations shall establish and appropriately protect secure development environments for
system development and integration efforts that cover the entire system development lifecycle.
Control
The organization shall supervise and monitor the activity of outsourced system development.
Control
Testing of security functionality shall be carried out during development.
Control
Acceptance testing programs and related criteria shall be established for new information systems,
upgrades and new versions.
Control
Test data shall be selected carefully, protected and controlled.
Control
Information security requirements for mitigating the risks associated with supplier’s access to the
organization’s assets shall be agreed with the supplier and documented.
Control
All relevant information security requirements shall be established and agreed with each supplier
that may access, process, store, communicate, or provide IT infrastructure components for, the
organization’s information.
Control
Agreements with suppliers shall include requirements to address the information security risks
associated with information and communications technology services and product supply chain.
Control
Organizations shall regularly monitor, review and audit supplier service delivery.
Control
Changes to the provision of services by suppliers, including maintaining and improving existing
information security policies, procedures and controls, shall be managed, taking account of the
criticality of business information, systems and processes involved and re-assessment of risks.
ation on security events and weaknesses.

Control
Management responsibilities and procedures shall be established to ensure a quick, effective and
orderly response to information security incidents.
Control
Information security events shall be reported through appropriate management channels as
quickly as possible.
Control
Employees and contractors using the organization's information systems and services shall be
required to note and report any observed or suspected information security weaknesses in systems
or services.
Control
Information security events shall be assessed and it shall be decided if they are to be classified as
information security incidents.
Control
Information security incidents shall be responded to in accordance with the documented
procedures.
Control
Knowledge gained from analysing and resolving information security incidents shall be used to
reduce the likelihood or impact of future incidents.
Control
The organization shall define and apply procedures for the identification, collection, acquisition and
preservation of information, which can serve as evidence.
Control
The organization shall determine its requirements for information security and the continuity of
information security management in adverse situations, e.g. during a crisis or disaster.
Control
The organization shall establish, document, implement and maintain processes, procedures and
controls to ensure the required level of continuity for information security during an adverse
situation.
Control
The organization shall verify the established and implemented information security continuity
controls at regular intervals in order to ensure that they are valid and effective during adverse
situations.
Control
Information processing facilities shall be implemented with redundancy sufficient to meet
availability requirements.
urity requirements.
Control
All relevant legislative statutory, regulatory, contractual requirements and the organization’s
approach to meet these requirements shall be explicitly identified, documented and kept up to date
for each information system and the organization.
Control
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and
contractual requirements related to intellectual property rights and use of proprietary software
products.
Control
Records shall be protected from loss, destruction, falsification, unauthorized access and
unauthorized release, in accordance with legislatory, regulatory, contractual and business
requirements.
Control
Privacy and protection of personally identifiable information shall be ensured as required in
relevant legislation and regulation where applicable.
Control
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and
regulations.
edures.
Control
The organization’s approach to managing information security and its implementation (i.e. control
objectives, controls, policies, processes and procedures for information security] shall be reviewed
independently at planned intervals or when significant changes occur.
Control
Managers shall regularly review the compliance of information processing and procedures within
their area of responsibility with the appropriate security policies, standards and any other security
requirements.
Control
Information systems shall be regularly reviewed for compliance with the organization’s information
security policies and standards.
DSS Req. # Coverage
PCI DSS v3.2
12.1
5 Fully
12.1.1
5 Fully
12.5
5 Fully
3.6.6
6.4
3 Moderately
10.5
12.10.1.a
4 Mostly
6.1
2 Partially
6.1
2 Partially
6.3
1 Minimally
1.4
4.1
2 Partially
11.1
12.3
1 Minimally
12.7
5 Fully
12.8.2
2 Partially
12.1
2 Partially
12.6
2 Partially
0 Not Addressed
0 Not Addressed
2.4
2 Partially
0 Not Addressed
12.3
3 Moderately
0 Not Addressed
0 Not Addressed
0 Not Addressed
9.6.1
1 Minimally
9.5
9.6
1 Minimally
9.7
9.8
9.6.1
3 Moderately
9.8
5 Fully
9.6.2
9.7.1
5 Fully
9.6.2
9.7.1
5 Fully
7.1.a
5 Fully
7.1
5 Fully
8.1.2
4 Mostly
8.1.3
8.1.2
4 Mostly
8.1.3
8.1.2
4 Mostly
8.1.3
8.1.2
4 Mostly
8.1.3
0 Not Addressed
0 Not Addressed
8.1.3
5 Fully
8.4
5 Fully
7.1.2
5 Fully
7.1.3
7.1
8.2
5 Fully
7.1
8.2
5 Fully
8.2.3
4 Mostly
8.2.4
8.2.5
0 Not Addressed
7.1.2
5 Fully
7.1.3
0 Not Addressed
3.5
5 Fully
9.1
4 Mostly
9.1.1
5 Fully
0 Not Addressed
0 Not Addressed
0 Not Addressed
0 Not Addressed
0 Not Addressed
0 Not Addressed
9.1.2
1 Minimally
0 Not Addressed
9.6
5 Fully
9.6.3
9.5.1
5 Fully
9.6.2
9.8
1 Minimally
0 Not Addressed
0 Not Addressed
Various
4 Mostly
6.4.5
2 Partially
0 Not Addressed
6.4.1
5 Fully
6.4.2
6.4.1
5 Fully
6.4.2
5.1
4 Mostly
9.5
1 Minimally
10.2
10.6
10.7 5 Fully
5 Fully
10.5.1
10.5.2
10.5.3
5 Fully
10.5.5
10.2
10.6
5 Fully
10.7
10.4
5 Fully
0 Not Addressed
6.1
5 Fully
0 Not Addressed
0 Not Addressed
1.1.1
1.1.2
1.1.3
4 Mostly
1.1.4
1.1.5
1.1.1
1.1.6 3 Moderately
1.2.1
1.3.1
2 Partially
1.3.3
1 Minimally
12.8
1 Minimally
12.8.2
1 Minimally
4.2
3 Moderately
12.8
1 Minimally
2.2
2.2.4 2 Partially
2.2.5
4.1
3 Moderately
1 Minimally
4.1
1 Minimally
2.2
6.3
5 Fully
6.4
5 Fully
6.4.5.a
5 Fully
6.4
1 Minimally
5 Fully
2.2
6.3
5 Fully
0 Not Addressed
12.8.3 2 Partially
6.3
3 Moderately
0 Not Addressed
6.4.3
1 Minimally
6.4.4
2 Partially
12.8.3
2 Partially
12.8.3
2 Partially
12.8.3
2 Partially
0 Not Addressed
0 Not Addressed
12.10.1
5 Fully
12.10.1
2 Partially
12.10.4
1 Minimally
1 Minimally
12.10.1
1 Minimally
12.10.5
12.10.1
1 Minimally
12.10.6
5 Fully
12.10.1
1 Minimally
12.10.1
1 Minimally
12.10.1
1 Minimally
12.10.1
1 Minimally
0 Not Addressed
12.10.1
5 Fully
0 Not Addressed
3 Moderately
0 Not Addressed
12.8.5
1 Minimally
All
4 Mostly
2 Partially
All
2 Partially
All
2 Partially
Description
Information Security Policy Establishment

"12.1 Establish, publish, maintain, and disseminate a security policy."
Information Security Policy Review

"12.1.1 Review the security policy at least annually and update the policy when
business objectives or the risk environment change."
Security Management Responsibilities

"12.5 Assign to an individual or team the following information security
management responsibilities:"
Key Management
"3.6.6 If manual dear-text cryptographic key-management operations are used,
these operations must be managed using split knowledge and dual control."
Change Control
"6.4 • Development/test environments are separate from production environments
with access control in place to enforce separation.
• A separation of duties between personnel assigned to the development/test
environments and those assigned to the production environment."
Log Management
"10.5 • Current audit trail files are protected from unauthorized modifications via
access control mechanisms, physical segregation, and/or network segregation."
Incident Response Only

"12.10.1.a • Analysis of legal requirements for reporting compromises (for
example, California Bill 1386, which requires notification of affected consumers in
the event of an actual or suspected compromise for any business with California
residents in their database)."
Vulnerability Management Only

"6.1 • To include using reputable outside sources for security vulnerability
information."
Vulnerability Management Only
"6.1 • To include using reputable outside sources for security vulnerability
information."
Secure Coding Practices Only

"6.3 • Incorporate information security throughout the software development life
cycle."
Personal Firewall Only

"1.4 Install personal firewall software on any mobile and/or employee-owned
devices that connect to the Internet when outside the network (for example,
laptops used by employees), and which are also used to access the network.
Firewall configurations include:"
Transmission Over Publish Networks

"4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH,
etc.) to safeguard sensitive cardholder data during transmission over open, public
networks, including the following:
• Cellular technologies, for example, Global System for Mobile communications

(GSM), Code division multiple access (CDMA)"
Unauthorised Wireless Access Points

"11.1 Verify that the methodology is adequate to detect and identify any
unauthorized wireless access points, including at least the following:
• Portable or mobile devices attached to system components to create a wireless

access point (for example, by USB, etc.)."
Use of Critical Technologies

"12.3 Develop usage policies for critical technologies and define proper use of these
technologies
• Prohibit copying, moving, or storing of cardholder data onto local hard drives and
removable electronic media when accessing such data via remote-access
technologies."
Personnel Screening
"12.7 Screen potential personnel prior to hire to minimize the risk of attacks from
internal sources. (Examples of background checks include previous employment
history, criminal record, credit history, and reference checks.)"
Security of Cardholder Data Only
"12.8.2 Maintain a written agreement that includes an acknowledgement that the
service providers are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the
customer, or to the extent that they could impact the security of the customer’s
CDE."
Information Security Policy Enforcement

"12.1 Examine the information security policy and verify that the policy is published
and disseminated to all relevant personnel (including vendors and business
partners)."
Security Awareness Relevant to Cardholder Data Only

"12.6 Implement a formal security awareness program to make all personnel aware
of the cardholder data security policy and procedures."
Asset Inventory for PCI Systems Only

"2.4 Maintain an inventory of system components that are in scope for PCI DSS."
Critical Technologies Usage

"12.3 Develop usage policies for critical technologies and define proper use of these
technologies."
Classification of Media Assets Only
"9.6.1 Verify that all media is classified so the sensitivity of the data can be
determined."
Media Handling Only

"9.5 Physically secure all media."
"9.6 Maintain strict control over the internal or external distribution of any kind of
media, including the following:"
"9.7 Maintain strict control over the storage and accessibility of media."
"9.8 Destroy media when it is no longer needed for business or legal reasons as
follows:"
Classification of Media Assets Only

"9.6.1 Verify that all media is classified so the sensitivity of the data can be
determined."
Media Disposal
"9.8 Destroy media when it is no longer needed for business or legal reasons as
follows:
• Hard-copy materials must be crosscut shredded, incinerated, or pulped such that

there is reasonable assurance the hard-copy materials cannot be reconstructed.
• Storage containers used for materials that are to be destroyed must be secured.
• Cardholder data on electronic media must be rendered unrecoverable (e.g. via a
secure wipe program in accordance with industry-accepted standards for secure
deletion, or by physically destroying the media)."
Secure Media Transportation

"9.6.2 Send the media by secured courier or other delivery method that can be
accurately tracked."
"9.7.1 Properly maintain inventory logs of all media and conduct media inventories
at least annually."
Secure Media Transportation
"9.7.1 Properly maintain inventory logs of all media and conduct media inventories
at least annually."
Access Control Policy

"7.1.a Examine written policy for access control, and verify that the policy
incorporates 7.1.1 through 7.1.4 as follows:
• Defining access needs and privilege assignments for each role.

• Restriction of access to privileged user IDs to least privileges necessary to
perform job responsibilities.
• Assignment of access based on individual personnel’s job classification and
function.
• Documented approval (electronically or in writing) by authorized parties for all
access, including listing of specific privileges approved."
Role Based Access Control (RBAC)

"7.1 Limit access to system components and cardholder data to only those
individuals whose job requires such access."
Joiners, Movers, and Leavers - Registration

"8.1.2 Control addition, deletion, and modification of user IDs, credentials, and
other identifier objects."
"8.1.3 Immediately revoke access for any terminated users."
Joiners, Movers, and Leavers - Process

Joiners, Movers, and Leavers - Privileged Access


Joiners, Movers, and Leavers - Privileged Access
Leavers
Authentication Credentials Guidance

"8.4 Document and communicate authentication policies and procedures to all users
including:
• Guidance on selecting strong authentication credentials.

• Guidance for how users should protect their authentication credentials.
• Instructions not to reuse previously used passwords.
• Instructions to change passwords if there is any suspicion the password could be
compromised."
Role Based Access Control (RBAC) - Policy

"7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform
job responsibilities."
"7.1.3 Assign access based on individual personnel’s job classification and function."
Role Based Access Control (RBAC) - Enforcement

"7.1Limit access to system components and cardholder data to only those
"8.2 In addition to assigning a unique ID, ensure proper user-authentication

management for non-consumer users and administrators on all system components
by employing at least one of the following methods to authenticate all users:
• Something you know, such as a password or passphrase.

• Something you have, such as a token device or smart card.
• Something you are, such as a biometric."
Role Based Access Control (RBAC) - Enforcement
"7.1Limit access to system components and cardholder data to only those
"8.2 In addition to assigning a unique ID, ensure proper user-authentication

management for non-consumer users and administrators on all system components
by employing at least one of the following methods to authenticate all users:
• Something you know, such as a password or passphrase.

• Something you have, such as a token device or smart card.
• Something you are, such as a biometric."
Password Complexity
"8.2.3 Passwords/phrases must meet the following:
• Require a minimum length of at least seven characters.

• Contain both numeric and alphabetic characters. Alternatively, the
passwords/phrases must have complexity and strength at least equivalent to the
parameters specified above."
"8.2.4 Change user passwords/passphrases at least once every 90 days."
"8.2.5 Do not allow an individual to submit a new password/phrase that is the same
as any of the last four passwords/phrases he or she has used."
Role Based Access Control (RBAC) - Policy

"7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform
job responsibilities."
"7.1.3 Assign access based on individual personnel’s job classification and function."
Encryption Key Management Procedures

"3.5 Document and implement procedures to protect keys used to secure stored
cardholder data against disclosure and misuse:"
Physical Access Control
"9.1 Use appropriate facility entry controls to limit and monitor physical access to
systems in the cardholder data environment."
Access Control Mechanisms

"9.1.1 Use video cameras and/or access control mechanisms to monitor individual
physical access to sensitive areas. Review collected data and correlate with other
entries. Store for at least three months, unless otherwise restricted by law."
Network Jacks Only

"9.1.2 Implement physical and/or logical controls to restrict access to publicly
accessible network jacks."
Secure Distribution of Media
"9.6 Maintain strict control over the internal or external distribution of any kind of
media, including the following:"
"9.6.3 Ensure management approves any and all media that is moved from a
secured area (including when media is distributed to individuals)."
Security of Off-Site Media

"9.5.1 Store media backups in a secure location, preferably an off-site facility, such
as an alternate or back-up site, ora commercial storage facility. Review the
location’s security at least annually."
Media Destruction Policy

"9.8 Examine the periodic media destruction policy and verify that it covers all
media and defines requirements for the following:
• Cardholder data on electronic media must be rendered unrecoverable (e.g. via a

secure wipe program in accordance with industry-accepted standards for secure
deletion, or by physically destroying the media)."
[Numerous procedures required in each Requirements Section.]
Change Control for Apps and Patching Only

"6.4.5 Change control procedures for the implementation of security patches and
software modifications must include the following:"
Separation of Test & Production

"6.4.1 Separate development/test environments from production environments, and
enforce the separation with access controls."
"6.4.2 Separation of duties between development/test and production

environments."
Separation of Test & Production
"6.4.1 Separate development/test environments from production environments, and
enforce the separation with access controls."
"6.4.2 Separation of duties between development/test and production

environments."
Anti-Malware
"5.1 Deploy anti-virus software on all systems commonly affected by malicious
software (particularly personal computers and servers)."
Protection of Backup Media Only

"9.5 Physically secure all media."
Logging & Monitoring

"10.2 Implement automated audit trails for all system components to reconstruct
the following events:"
"10.6 Review logs and security events for all system components to identify
anomalies or suspicious activity."
"10.7 Retain audit trail history for at least one year, with a minimum of three
months immediately available for analysis (for example, online, archived, or
restorable from backup)."
Protection of Log Files

"10.5.1 Limit viewing of audit trails to those with a job-related need."
"10.5.2 Protect audit trail files from unauthorized modifications."
"10.5.3 Promptly back up audit trail files to a centralized log server or media that is
difficult to alter."
"10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure

that existing log data cannot be changed without generating alerts."
Logging & Monitoring

"10.5.2 Implement automated audit trails for all system components to reconstruct
the following events:"
"10.6 Review logs and security events for all system components to identify
anomalies or suspicious activity."
"10.7Retain audit trail history for at least one year, with a minimum of three months
immediately available for analysis (for example, online, archived, or restorable from
backup)."
Time Synchronisation
"10.4 Using time-synchronization technology, synchronize all critical system clocks
and times and ensure that the following is implemented for acquiring, distributing,
and storing time."
Vulnerability Management
"6.1 Establish a process to identify security vulnerabilities, using reputable outside
sources for security vulnerability information, and assign a risk ranking (for
example, as “high,” “medium,” or “low”) to newly discovered security
vulnerabilities."
Network Device Management
"1.1.1 A formal process for approving and testing all network connections and
changes to the firewall and router configurations."
"1.1.2 Current diagram that identifies all connections between the cardholder data
environment and other networks, including any wireless networks."
"1.1.3 Current diagram that shows all cardholder data flows across systems and
networks."
"1.1.4 equirements for a firewall at each Internet connection and between any
demilitarized zone (DMZ) and the internal network zone."
"1.1.5 Description of groups, roles, and responsibilities for management of network

components."
Network Services
"1.1.1 A formal process for approving and testing all network connections and
changes to the firewall and router configurations."
"1.1.6 Documentation and business justification for use of all services, protocols,
and ports allowed, including documentation of security features implemented for
those protocols considered to be insecure."
Network Segregation
"1.2.1 Restrict inbound and outbound traffic to that which is necessary for the
cardholder data environment, and specifically deny all other traffic."
"1.3.1 Implement a DMZ to limit inbound traffic to only system components that
provide authorized publicly accessible services, protocols, and ports."
"1.3.3 Do not allow any direct connections inbound or outbound for traffic between
the Internet and the cardholder data environment."
Information Transfer Policies

"12.8 Maintain and implement policies and procedures to manage service providers
with whom cardholder data is shared, or that could affect the security of cardholder
data, as follows:"
Information Transfer Contracts

"12.8.2 Maintain a written agreement that includes an acknowledgement that the
service providers are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the
customer, or to the extent that they could impact the security of the customer’s
CDE."
Electronic Messaging
"4.2 Never send unprotected PANs by end-user messaging technologies (for
example, e-mail, instant messaging, SMS, chat, etc.)."
Non-Disclosure Agreements
"12. 8Maintain and implement policies and procedures to manage service providers
with whom cardholder data is shared, or that could affect the security of cardholder
data, as follows:"
Configuration Standards
"2.2 Develop configuration standards for all system components. Assure that these
standards address all known security vulnerabilities and are consistent with
industry-accepted system hardening standards."
"2.2.4 Configure system security parameters to prevent misuse."
"2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features,

subsystems, file systems, and unnecessary web servers."
Data Protection Over Public Networks

• Only trusted keys and certificates are accepted.

• The protocol in use only supports secure versions or configurations.
• The encryption strength is appropriate for the encryption methodology in use."
Transaction Protection
• Only trusted keys and certificates are accepted.

• The protocol in use only supports secure versions or configurations.
• The encryption strength is appropriate for the encryption methodology in use."
Configuration Standards & SDLC

"6.3 Develop internal and external software applications (including web-based

administrative access to applications) securely, as follows:
• In accordance with PCI DSS (for example, secure authentication and logging).
• Based on industry standards and/or best practices.
• Incorporate information security throughout the software development life cycle."
Change Control
"6.4 Follow change control processes and procedures for all changes to system
components. The processes must include the following:"
Change Control - Testing

"6.4.5.a Examine documented change-control procedures related to implementing
security patches and software modifications and verify procedures are defined for:
• Documentation of impact.
• Documented change approval by authorized parties.
• Functionality testing to verify that the change does not adversely impact the
security of the system.
• Back-out procedures."
Change Control - General

"6.4 Follow change control processes and procedures for all changes to system
components. The processes must include the following:"
Configuration Standards & SDLC


Vendor Due Diligence

"12.8.3 Ensure there is an established process for engaging service providers
including proper due diligence prior to engagement."
Change Control - Testing
Test Data
"6.4.3 Production data (live PANs) are not used for testing or development."
"6.4.4 Removal of test data and accounts before production systems become
active."
Vendor Due Diligence - Contract

Vendor Due Diligence - Security Requirements

Vendor Due Diligence - Security Risks

Incident Response - Roles & Responsibilities

"12.10.1 Create the incident response plan to be implemented in the event of
system breach. Ensure the plan addresses the following, at a minimum:
• Roles, responsibilities, and communication and contact strategies in the event of
a compromise including notification of the payment brands, at a minimum."
Incident Response - Reporting

a compromise including notification of the payment brands, at a minimum.
• Specific incident response procedures."
Incident Response - Suspected Weaknesses

"12.10.4 Verify through observation, review of policies, and interviews of
responsible personnel that staff with responsibilities for security breach response
are periodically trained."
Incident Response - Event Assessment

"12.10.5 Include alerts from security monitoring systems, including but not limited
to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring
systems."
Incident Response - Response Procedures

Incident Response - Lessons Learned

"12.10.6 Verify through observation, review of policies, and interviews of
responsible personnel that there is a process to modify and evolve the incident
response plan according to lessons learned and to incorporate industry
developments."
Incident Response - Evidence Collection

Business Continuity - Planning

• Business recovery and continuity procedures.
• Data back-up processes."
Business Continuity - Process, Procedure & Controls

Business Continuity - Testing

Applicable Legislation / Regulation
a compromise including notification of the payment brands, at a minimum.
• Analysis of legal requirements for reporting compromises.
• Reference or inclusion of incident response procedures from the payment
brands."
Applicable Legislation / Regulation

PCI relevant data only
Cryptographic Agreements
"12.8.5 Maintain information about which PCI DSS requirements are managed by
each service provider, and which are managed by the entity. "
Independent Review
This is what QSAs are for.
Compliance Review - Process

There are some 'periodic' operational processes for review, but from an
overacrching program perspective, this is inadequate.
Compliance Review - Systems

There are some 'periodic' system specific reviews, but this will mostly be driven by
annual compliance validation.
A. 5 Information Security Policies
A.9 Access Control
A.10 Cryptography

A.13 Communications security

A.16 Information Security Incident Management
A.17 Information Security Aspects of Business Continuity Management

A.18 Compliance
2 10 10 100%
7 18 35 51%
6 11 30 37%
10 20 50 40%
14 51 70 73%
2 5 10 50%
15 21 75 28%
14 41 70 59%
A.17 Information Security Aspects of Business C
7 15 35 43%
13 33 65 51%
5 6 25 24%
7 16 35 46%
4 3 20 15%
A.16 Information Security Incident Ma
8 17 40 43%
114 267 570 47%
A.l 5 Supplier Rel
A.14 System Acquisition, Develop

PCI DSS v3.2 vs. ISO 27001:2013
A. 5 Information Security Policies
A.18 Compliance A.6 Org

100%
mation Security Aspects of Business Continuity Management
50%
.16 Information Security Incident Management
0%
A.13 Communications security A.11 Ph

013
curity Policies

00%
0%
A.9 Access Control
A.10 Cryptography
s Security

PCI DSS v3.2 Vs ISO 27001 2013 - 160729

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

PCI DSS v3.2 Vs ISO 27001 2013 - 160729

Caricato da

Copyright:

Formati disponibili

Control #

A.5 Information Security Policies

A.5.1 Management direction for information security

A.6 Organization of Information Security

A.6.1 Internal Organization

A.6.2 Mobile Devices and Teleworking

A.7 Human Resource Security

A.7.2 During Employment

A.7.3 Termination and Change of Employment

A.8 Asset Management

A.8.1 Responsibility for Assets

A.8.2 Information Classification

A.8.3 Media Handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored

A.9 Access Control

A.9.1 Business Requirements of Access Control

A.9.2 User Access Management

A.9.3 User Responsibilities

A.9.4 System and Application Access Control

Objective: To prevent unauthorized access to systems and applications.

A.10.1 Cryptographic Controls

A.l2 Operations Security

Objective: To ensure correct and secure operations of information processing facilities.

A.12.2 Protection from Malware

A.12.4 Logging and Monitoring

Objective: To record events and generate evidence.

A.12.5 Control of Operational Software

A.12.6 Technical Vulnerability Management

A.12.7 Information Systems Audit Considerations

A.13 Communications security

A.13.2 Information Transfer

A.14 System Acquisition, Development and Maintenance

A.14.2 Security in Development and Support Processes

A.14.3 Test Data

Objective: To ensure the protection of data used for testing.

A.l 5 Supplier Relationships

A.l5.1 Information Security in Supplier Relationships

A.l5.2 Supplier Service Delivery Management

A.16 Information Security Incident Management

A.16.1 Management of information Security Incidents and Improvements

A.17 Information Security Aspects of Business Continuity Management

A.17.1 Information Security Continuity

A.18.2 Information Security Reviews

Policies for information security

Review of the policies for information security

Information security roles and responsibilities

Contact with authorities

Contact with special interest groups

Information security in project management

Mobile device policy

e aware of and fulfil their information security responsibilities.

Information security awareness, education and training

of the process of changing or terminating employment.

Termination or change of employment responsibilities

ppropriate protection responsibilities.

Acceptable use of assets

priate level of protection in accordance with its importance to the organization.

ion, removal or destruction of information stored on media.

Management of removable media

Physical media transfer

Access control policy

Access to networks and network services