Those of you who have to deal with compliance may have already noticed that the intersection between regulation and cyber security is becoming more overt. Organisations increasingly need to respond to requirements relating to both digital security and data protection.
Two well-known standards focusing on data and information security are the internationally recognised information security standard, ISO27001, and the Payment Card Industry Data Security Standard (PCI DSS).
Neira Jones, an information security and PCI DSS expert, recently spoke at IT Governance’s cyber security summit where she drew parallels between the PCI DSS and ISO27001, and explained the importance of understanding your organisation’s information security needs, its risk and threat profile, and its supply chain and information assets. This information is essential in order to take appropriate measures to protect the business from future threats.
The PCI DSS has been in the news recently, mostly in relation to Target’s catastrophic data breach. Questions have been asked as to how the breach occurred if, as the company claims, it was PCI-compliant at the time. Geraint Williams, PCI QSA at IT Governance, wrote on his blog that “it’s important to remember that the PCI DSS should be seen as the minimum level of security required and not an absolute security solution.”
By creating a cyber security framework based on best practice (such as ISO27001 and the PCI DSS, while also being informed by legal requirements like the DPA) you can create a systematic approach to compliance that will enable you to manage the confidentiality, integrity and availability (CIA) of data and information assets – a model that is central to cyber security.
This case study looks at how Harino, an online gaming company, reached ISO27001 and PCI DSS compliance with help from IT Governance’s experienced consultants, who used their knowledge to enable an innovative approach that simultaneously met both requirements.
The following resources have been designed to increase knowledge of both ISO27001 and the PCI DSS.
This is a must-have guide for those approaching the PCI DSS v3.0 Standard.
BSI’s official guide to ISO27001 requires no previous knowledge of the Standard. It provides an easily digestible overview of ISO27001, its purpose and benefits.
PCI DSS v3.0 Documentation Toolkit – Brand new version
This new toolkit provides organisations with a comprehensive set of pre-written PCI DSS v3.0-compliant documents, as well as useful desktop tools to help them achieve compliance as quickly as possible.