Thursday 3 November 2011
ISO 27001 vs PCI-DSS: Security Management vs Security Controls Standards
For many organisations, the past few years have featured the letters PCI-DSS quite prominently. Brought in to regulate the manner in which credit and debit card data are managed following a number of significant and high-profile losses, the Payment Card Industry Data Security Standard defines in exacting detail the controls that need to be applied to protect the data and how they should be tested and audited. The standard defines specifically the data it needs to protect and applies it to anyone storing, processing or transmitting this data. Consequently, almost all retail companies and any other businesses that accept card payments need to implement it and ensure that any service providers they use also meet the requirements of the standard.
The reason that PCI-DSS is able to be so prescriptive in its security controls and auditing requirements is that there are a significant number of constants in play, regardless of the size of business. The data requiring protection is always the same type (card numbers, cardholder name, expiry date, etc) and the controls for each data type are therefore constant. The threats to the data are the same and the level of impact is only dependent on how many payment cards are being handled. The risk assessment side has already been done in advance and the controls defined to appropriately reduce them. This is all defined regardless of the type of business, size of business or other threats that may be present in wider enterprise of the businesses in question.
Why is ISO 27001 different?
Unlike the security controls-based PCI-DSS, ISO 27001 does not apply to any particular industry sector, type of data being protected or specific risks or threats. It is a security management-based standard that expects the organisations implementing it to work out these factors for themselves and continually assure their effectiveness. You can therefore apply ISO 27001 to a multinational IT services provider, seeking to protect assets including corporate data; client data; research and development data; IT systems; the buildings and datacenters where the data is housed; the staff, contractors & client personnel; and their business reputation. These are all things which have value to the company and which have vulnerabilities of their own, which are subject to threats and which are therefore facing a level of risk from certain internal and external factors.
Conversely, you can also apply ISO 27001 to "Bob's Corner Shop". Bob may run a single shop in which he has assets including himself and a couple of staff, the shop itself, stock/inventory and perhaps a PC on a desk which he uses to keep records of stock levels and maybe customer accounts. These things are still assets to Bob and still have vulnerabilities and threats posed to them. The impact of Bob's PC crashing and having to be rebooted though is somewhat less than the impact to the IT services provider example above losing power to its core IT infrastructure. The risk therefore is different. Bob also needs to consider things like physical and environmental security, but his controls are more likely to be a good lock on the door, a burglar alarm and a modest air conditioning unit - somewhat different to the multi-factor defense in depth biometric controls, 24/7 guard-force monitoring CCTV and complex HVAC systems deployed by the IT company.
The important thing is that the controls you choose to avoid, mitigate or transfer the risk need to be appropriate. A security control is only appropriate if the cost of implementing and running it is less than the cost of the risk it mitigates, should a security event/incident occur. If Bob decides to implement a two-factor biometric access control system for the store and an enterprise-level anti-virus system for his PC, then he'll be spending far more on those controls than the cost of replacing the assets he's trying to protect. If Bob wants to be able to accept credit card payments, then he will most likely chose to pay a fee to a payment processing service, rather than implementing his own PCI-DSS accredited IT network.
It is because of these differences between the various adopters of ISO 27001, their risk levels and appetites, that the controls cannot be prescribed and specific within the standard itself. If ISO 27001 were to mandate controls at the enterprise level, then Bob would never be able to align his business to that standard. Conversely, if the standard were to only implement a door lock and a burglar alarm as the sole physical security controls, this would not appropriately address the risks facing a data centre.
Managing to both ISO 27001 and PCI-DSS is about constantly assessing risk and reviewing measurements of effectiveness which could be taken from audits, events or ad-hoc observations. The main difference between the two is that for PCI-DSS, this is being done by the PCI Security Standards Council who will release updates to the PCI standards in the event that the current controls need updating to address a new set of risks or threats - businesses managing to PCI-DSS will still audit, but just to ensure that they are meeting the defined controls. The risks that might affect the PCI standard will however only be based on new threats or risks only to payment card data rather than an entire enterprise, with any factors that may affect the standard perhaps not occurring very often. The mandate for compliance globally for all organisations handling this data also makes it more difficult to change the PCI-DSS standard too often.
Where PCI-DSS will remain static until the next version is released, the controls implemented for ISO 27001 could change in response to a specific incident, a change of risk profile based on new threats or the change of management risk appetite. Therefire, with support thorough management and down into the organisation, the policies in place for ISO 27001 can bend and flex gradually to deal with changing risks.
ISO 27001 and PCI-DSS sit very well together within an enterprise. The security management to ISO 27001 will assess all risks to the enterprise across all assets and will define appropriate controls to appropriately mitigate those risks to a level within the risk apetite of the company. Provided the ISO 27001 controls defined meet the requirements of PCI-DSS for those systems in scope for handing payment card data, then it fits nicely into the security management system. It may be that the risks assessed for the enterprise mandate stronger controls than PCI-DSS in some areas, in which case an enterprise-wide control will automatically meet the requirements of the PCI-DSS standard. If the risk assessment determines that a lower level of control is required, then provided the systems in scope meet the requirements of the controls in PCI-DSS, all other systems can be managed in line with the lesser enterprise controls.