Re: ISO 27001 mapping to PCI
- From: Mike Lococo <mikelococo@xxxxxxxxx>
- Date: Mon, 25 Feb 2008 19:02:30 -0500
What am I missing here? I probably sound real dumb, but why are we mapping standards to each other?
I believe that the value of mapping these standards to each other
allows for the qualification of the organization against multiple
standards without requiring a duplication of efforts. Where standards
match other standard's requirements an organization can count those
steps as well. Measure twice, cut once.
In particular, folks like to map against ISO 27001/27002 because it's fairly comprehensive. They use it as their common language to refer to all internal security controls, and do all their implementation and audit using that vocabulary. Then when they want to check compliance against another standard, they map it to ISO27001 and end up with a checklist they can pass around internally or query their configuration management database for.