Scribd Logo
Upload

Welcome to Scribd!

  • 45 views

    PCI - DSS - ISMS - Mapping

    Uploaded by

    Vagabond Pakistan
    The document maps controls from the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 to controls from the International Organization for Standardization (ISO) 27001:2022 information security standard. It lists each requirement from PCI DSS and maps it to the relevant controls from ISO 27001 to show alignment between the two standards.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    PCI - DSS - ISMS - Mapping

    Uploaded by

    Vagabond Pakistan
    45 views3 pages
    The document maps controls from the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 to controls from the International Organization for Standardization (ISO) 27001:2022 information security standard. It lists each requirement from PCI DSS and maps it to the relevant controls from ISO 27001 to show alignment between the two standards.

    Original Title

    PCI_DSS – ISMS - Mapping

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document maps controls from the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 to controls from the International Organization for Standardization (ISO) 27001:2022 information security standard. It lists each requirement from PCI DSS and maps it to the relevant controls from ISO 27001 to show alignment between the two standards.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    45 views3 pages

    PCI - DSS - ISMS - Mapping

    Uploaded by

    Vagabond Pakistan
    The document maps controls from the Payment Card Industry Data Security Standard (PCI DSS) version 4.0 to controls from the International Organization for Standardization (ISO) 27001:2022 information security standard. It lists each requirement from PCI DSS and maps it to the relevant controls from ISO 27001 to show alignment between the two standards.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 3

    Payment Card Industry Data Security Standard – Information Security Management System

    Mapping

    PCI DSS V4.0 ISO 27001:2022

    R1: INSTALL AND MAINTAIN NETWORK SECURITY CONTROLS


    1.1 Processes and mechanisms for installing and maintaining network A.8.20 Networks security
    security controls are defined and understood 5.3 Organisational roles, responsibilities and authorities
    A.8.20 Networks security
    1.2 Network security controls (NSCs) are configured and maintained A.8.21 Security of network services
    A.8.32 Change management
    1.3 Network access to and from the cardholder data environment is A.8.22 Segregation of networks
    restricted A.8.21 Security of network services
    1.4 Network connections between trusted and untrusted networks are A.8.22 Segregation of networks
    controlled A.8.21 Security of network services
    A.8.7 Protection against malware
    1.5 Risks to the CDE from computing devices that are able to connect to
    A.8.19 Installation of software on operational systems
    both untrusted networks and the CDE are mitigated
    A.8.22 Segregation of networks
    R2: APPLY SECURE CONFIGURATIONS TO ALL SYSTEM COMPONENTS
    2.1 Processes and mechanisms for applying secure configurations to all A.8.9 Configuration management
    system components are defined and understood 5.3 Organisational roles, responsibilities and authorities
    A.8.9 Configuration management
    A.8.21 Security of network services
    2.2 System components are configured and managed securely
    A.8.8 Management of technical vulnerabilities
    A.5.6 Contact with special interest groups
    A.8.20 Networks security
    2.3 Wireless environments are configured and managed securely
    A.6.5 Responsibilities after termination or change of employment
    R3: PROTECT STORED ACCOUNT DATA
    3.1 Processes and mechanisms for protecting stored account data are
    A.8.3 Information access restriction
    defined and understood
    3.2 Storage of account data is kept to a minimum A.5.33 Protection of records

    3.3 Sensitive authentication data (SAD) is not stored after authorization A.8.26 Application security requirements

    3.4 Access to displays of full PAN and ability to copy PAN is restricted A.8.11 Data masking

    3.5 Primary account number (PAN) is secured wherever it is stored A.8.24 Use of cryptography

    3.6 Cryptographic keys used to protect stored account data are secured A.8.24 Use of cryptography
    3.7 Where cryptography is used to protect stored account data, key-
    A.8.24 Use of cryptography
    management processes and procedures covering all aspects of the key
    A.5.19 Information Security in supplier relationships
    lifecycle are defined and implemented

    R4: PROTECT CARDHOLDER DATA WITH STRONG CRYPTOGRAPHY DURING TRANSMISSION OVER
    OPEN, PUBLIC NETWORKS
    4.1 Processes and mechanisms for protecting cardholder data with strong
    A.8.24 Use of cryptography
    cryptography during transmission over open, public networks are defined
    5.3 Organisational roles, responsibilities and authorities
    and documented
    4.2 PAN is protected with strong cryptography during transmission A.8.24 Use of cryptography

    R5: PROTECT ALL SYSTEMS AND NETWORKS FROM MALICIOUS SOFTWARE


    A.8.20 Networks security
    5.1 Processes and mechanisms for protecting all systems and networks from A.8.21 Security of network services
    malicious software are defined and understood A.8.7 Protection against malware
    5.3 Organisational roles, responsibilities and authorities
    5.2 Malicious software (malware) is prevented, or detected and addressed A.8.7 Protection against malware
    A.8.7 Protection against malware
    5.3 Anti-malware mechanisms and processes are active, maintained, and
    A.8.23 Web filtering
    monitored
    A.8.15 Logging
    A.6.3 Information security awareness, education and training
    5.4 Anti-phishing mechanisms protect users against phishing attacks A.8.7 Protection against malware
    A.8.23 Web filtering
    R6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND SOFTWARE
    6.1 Processes and mechanisms for developing and A.8.25 Secure development life cycle
    maintaining secure systems and software are defined and understood 5.3 Organisational roles, responsibilities and authorities
    A.8.25 Secure development life cycle
    6.2 Bespoke and custom software are developed securely A.8.28 Secure coding
    A.5.20 Addressing information security within supplier agreements
    6.3 Security vulnerabilities are identified and addressed A.8.8 Management of technical vulnerabilities

    6.4 Public-facing web applications are protected against attacks A.8.21 Security of network services

    6.5 Changes to all system components are managed securely A.8.32 Change management

    R7: RESTRICT ACCESS TO SYSTEM COMPONENTS AND CARDHOLDER DATA BY BUSINESS NEED TO
    KNOW
    7.1 Processes and mechanisms for restricting access to system
    A.5.15 Access control
    components and cardholder data by business need to know are defined
    5.3 Organisational roles, responsibilities and authorities
    and understood
    7.2 Access to system components and data is appropriately defined and A.5.15 Access control
    assigned A.5.18 Access rights
    7.3 Access to system components and data is managed via an access
    A.5.15 Access control
    control system(s)
    R8: IDENTIFY USERS AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS
    8.1 Processes and mechanisms for identifying users and authenticating A.5.16 Identity management
    access to system components are defined and understood 5.3 Organisational roles, responsibilities and authorities
    8.2 User identification and related accounts for users and administrators A.5.16 Identity management
    are strictly managed throughout an account’s lifecycle 5.3 Organisational roles, responsibilities and authorities
    8.3 Strong authentication for users and administrators is established and A.8.5 Secure authentication
    managed A.5.1 Policies for information security
    8.4 Multi-factor authentication (MFA) is implemented to secure access
    A.8.5 Secure authentication
    into theCDE
    8.5 Multi-factor authentication (MFA) systems are configured to prevent
    A.8.5 Secure authentication
    misuse
    8.6 Use of application and system accounts and associated authentication
    A.8.2 Privileged access rights
    factors is strictly managed
    R9: RESTRICT PHYSICAL ACCESS TO CARDHOLDER DATA
    9.1 Processes and mechanisms for restricting physical access to cardholder A.7.1 Physical security perimeters
    data are defined and understood 5.3 Organisational roles, responsibilities and authorities
    A.7.2 Physical entry
    9.2 Physical access controls manage entry into facilities and systems
    A5.15 Access Control
    containing cardholder data
    A.7.4 Physical security monitoring
    A.7.2 Physical entry
    9.3 Physical access for personnel and visitors is authorized and managed
    A.7.3 Securing offices, rooms and facilities
    7.6 Working in secure areas
    9.4 Media with cardholder data is securely stored, accessed, distributed,
    A.7.10 Storage media
    and destroyed
    A.5.9 Inventory of information and other associated assets
    A.7.8 Equipment siting and protection
    9.5 Point-of-interaction (POI) devices are protected from tampering and
    A.5.9 Inventory of information and other associated assets
    unauthorized substitution
    A.6.3 Information security awareness, education and training
    R10: LOG AND MONITOR ALL ACCESS TO SYSTEM COMPONENTS AND CARDHOLDER DATA
    A.8.15 Logging
    10.1 Processes and mechanisms for logging and monitoring all access to
    A.8.16 Monitoring activities
    system components and cardholder data are defined and documented
    5.3 Organisational roles, responsibilities and authorities
    10.2 Audit logs are implemented to support the detection of anomalies
    A.8.15 Logging
    and suspicious activity, and the forensic analysis of events
    10.3 Audit logs are protected from destruction and unauthorized A.8.15 Logging
    modifications 5.3 Organisational roles, responsibilities and authorities
    A.8.15 Logging
    10.4 Audit logs are reviewed to identify anomalies or suspicious activity
    A.8.16 Monitoring activities
    10.5 Audit log history is retained and available for analysis A.8.15 Logging
    10.6 Time-synchronization mechanisms support consistent time settings
    A.8.17 Clock synchronization
    across all systems
    10.7 Failures of critical security control systems are detected, reported,
    A.8.16 Monitoring activities
    and responded to promptly
    R11: TEST SECURITY OF SYSTEMS AND NETWORKS REGULARLY
    11.1 Processes and mechanisms for regularly testing security of systems A.5.35 Independent review of information security
    and networks are defined and understood 5.3 Organisational roles, responsibilities and authorities
    A.8.20 Networks security
    11.2 Wireless access points are identified and monitored, and
    A.5.9 Inventory of information and other associated assets
    unauthorized wireless access points are addressed
    11.3 External and internal vulnerabilities are regularly identified,
    A.5.35 Independent review of information security
    prioritized, and addressed
    11.4 External and internal penetration testing is regularly performed, and A.5.35 Independent review of information security
    exploitable vulnerabilities and security weaknesses are corrected A.8.8 Management of technical vulnerabilities
    11.5 Network intrusions and unexpected file changes are detected and A.5.26 Response to information security incidents
    responded to A.8.16 Monitoring activities
    11.6 Unauthorized changes on payment pages are detected and A.5.26 Response to information security incidents
    responded to A.8.16 Monitoring activities
    R12: SUPPORT INFORMATION SECURITY WITH ORGANIZATIONAL POLICIES AND PROGRAMS
    12.1 A comprehensive information security policy that governs and A.5.1 Policies for information security
    provides direction for protection of the entity’s information assets is 5.2 Policy
    known and current 5.3 Organizational roles, responsibilities and authorities
    12.2 Acceptable use policies for end-user technologies are defined and
    A.5.10 Acceptable use of information and other associated assets
    implemented
    12.3 Risks to the cardholder data environment are formally identified, 6.1 Risk assessment process
    evaluated, and managed A.5.9 Inventory of information and other associated assets
    5.36 Compliance with policies, rules and standards for information
    12.4 PCI DSS V4.0 compliance is managed
    security
    12.5 PCI DSS V4.0 scope is documented and validated 4.2 Interested parties

    12.6 Security awareness education is an ongoing activity A.6.3 Information security awareness, education and training

    12.7 Personnel are screened to reduce risks from insider threats A.6.1 Screening
    12.8 Risk to information assets associated with third-party service provider
    (TPSP) relationships is managed A.5.21 Managing information security in the ICT supply chain
    12.9 Third-party service providers (TPSPs) support their customers’ PCI
    A.5.20 Addressing information security within supplier agreements
    DSS V4.0 compliance
    12.10 Suspected and confirmed security incidents that could impact A.5.26 Response to information security incidents,
    the CDE are responded to immediately A.8.12 Data leakage prevention

    You might also like