Applying Security Standards Like ISO 27002 to Compliance Requirements | The Compliance and Security Connection

One of the great challenges facing IT professionals is how to navigate through the sea of regulatory compliances, industry standards, and numerous security and IT operational best practice standards and frameworks.

A recent post on SearchSecurity.com by Richard Mackey did a great job of comparing the value of ISO 27002 to PCI DSS compliance specifically.

As you likely know, the PCI Data Security Standard is a set of 12 requirements, broken into several hundred sub-requirements, that were written by the PCI Security Standards Council on behalf of all of the major credit card companies. All organizations that store, transmit, or process payment cards are required to provide varied levels of proof of their compliance with the Standard.

ISO 27002, also referred to as ISO 17799, is a security standard of practice. As Mackey states, "it is a comprehensive list of security practices that can be applied -- in varying degrees -- to all organizations."

Mackey shares two specific benefits of applying a standard like ISO 27002 to a regulation like PCI-DSS. "First, it provides a framework that allows organizations to achieve their PCI security goals along with those from other sources, like industry or governmental regulations. Second, it provides guidance on how to fit some of PCI's governance and policy requirements into an organization's compliance program."

For the complete article, click here.

Source:  The Compliance and Security Connection