PCI DSS vs ISO 27001 vs Cyber Essentials

2,387
PCI DSS vs ISO 27001

With the growing threat of cyberattacks, government and national bodies are seeking assurance that organizations adhere and follow best cybersecurity practices.  As a consequence, several cybersecurity frameworks exist designed to protect data. But with several frameworks available, PCI DSS vs ISO 27001 vs Cyber Essentials, which framework should you focus your efforts on, and which of these are mandatory for your business?

Here we compare the cybersecurity frameworks, PCI DSS vs ISO 27001 vs Cyber Essentials, and provide an overview of the requirements for each.  Also provided is guidance regarding the prioritization of these standards when it comes to implementation.

Comparing PCI DSS vs ISO 27001 vs Cyber Essentials

Presented below is an overview of the PCI DSS, ISO 27001, and Cyber Essentials frameworks, and how they compare with one another:

Framework
PCI DSS vs ISO 27001 - PCI DSS Standard PCI DSS vs ISO 27001 - ISO27001 Standard PCI DSS vs ISO 27001 - Cyber Essentials Scheme
Administrator
Payment Card Industry (PCI) Standards Council
International Organization for Standardization (ISO)
National Cyber Security Centre (NCSC)
IASME (Cyber Essentials Scheme Accreditation body)
Applicability
Global
Mandatory for any organization which processes cardholder data
Global
Optional for organizations of all types and sizes wishing to implement an ISMS
UK only
Mandatory for any organizations wishing to tender for UK Government contracts
Scope
Applicable to private cardholders’ data
It will vary on which business is applicable. The scope is international
Depending on the size of the business
Number of Domains
6
14
5
Flexibility
Limited
Large
Limited
Certification/ Compliance
Completion of an Attestation of Compliance (AOC) form
Quarterly network scan conducted by an ASV (Approved Scanning Vendor)
Submission of an annual Self-Assessment Questionnaire (SAQ)
Level One classed organizations must have an on-site yearly assessment (Report on Compliance – ROC) completed by an independent Qualified Security Assessor (QSA)
Certification is achieved through a two-stage formal review to assess compliance, usually conducted six weeks apart.
Compliance audits conducted annually and can be either internal or external.
Certification can be renewed every 36 months.
Cyber Essentials
Self-assessment against five basic security controls – A qualified assessor verifies the information provided.
Cyber Essentials Plus
A qualified assessor assesses the same five controls, testing that they are implemented satisfactorily through a technical audit.
Average time needed to achieve compliance*
7 to 14 days
6 to 12 months
24 to 48 hours

Payment Card Industry Data Security Standard – PCI DSS

A global data security standard which has been around since 2004. PCI DSS (an acronym of Payment Card Industry Data Security Standard) is administered by the PCI Security Standards Council.

Any company which accepts, stores, and sends cardholder data is mandated to comply with the PCI DSS standard. The standard is only applicable to cardholder data, such as PAN number, along with other login credentials.

When comparing PCI DSS vs ISO 27001, and Cyber Essentials, what is evident is that the PCI DSS standard specifies technical controls which need to be implemented by a merchant to achieve PCI DSS compliance.

PCI DSS Merchant Levels

An organization can fall into one of four different merchant levels of the PCI DSS standard. Each of these levels have a different criteria, and attract different process for achieving and maintaining compliance. The PCI DSS Merchant Levels are:

  • Level 1: Companies that will process over 6M payments each year, no matter what the amount of the each transaction is.
  • Level 2: Companies will process between 1M to 6M transactions each year, regardless of the amount of each transaction.
  • Level 3: Companies which process between 20K to 1M eCommerce transactions each year.
  • Level 4: Companies which will process fewer than 20K eCommerce payments, reaching up to 1M transactions.

The Six Objectives of the PCI DSS

PCI DSS has six main goals or objectives. The 12 PCI DSS  Requirements complement these goals. A summary of each of these goals is presented below.

  1. Build and manage a secure networking environment – Merchants must build and maintain an adequately protected network. This can be achieved by implementing and correctly configuring firewalls and changing any manufacturer’s default configurations and settings.
  2. Protect cardholders’ confidential data – Protecting cardholder data is not just preventing data breaches but also preventing information from being stolen and misused. Organizations must ensure cardholder data is encrypted when stored and transmitted.
  3. Maintain a program to manage vulnerabilities – Merchants must manage vulnerabilities proactively. This is achieved by monitoring and preventing malware and ensuring systems, software, and hardware has the latest security patches.
  4. Deploy robust access control measures – Merchants must limit physical and virtual access to cardholder data based on user roles. Furthermore, they must ensure user accounts are unique and an audit trail for any given user account is readily available.
  5. Monitor and test networks regularly – All the access to the network information, especially the cardholder information, has to be monitored. Any systems which interact with cardholder data must be regularly tested to identify any vulnerabilities.
  6. Ensure Information Security Policy is maintained – An Information Security policy must available and maintained by the organization. The policy should include incident response procedures, guidelines for using technologies. The policy should also ensure staff are aware of their roles and responsibilities in preserving cardholder data security.

Read more: 6 Goals of PCI DSS Compliance

PCI DSS vs ISO 27001 and Cyber Essentials

When comparing PCI DSS versus the other standards, it is evident is that the PCI DSS standard specifies technical controls.  These controls need to be implemented by a merchant to achieve PCI DSS compliance.

However, it is worth noting that, compared to ISO 27001 and Cyber Essentials, PCI DSS’s scope is limited to cardholder data.

If you want to learn more about the PCI DSS standard, a good starting point is our article, Achieving PCI DSS Compliance

ISO/IEC 27001:2013

The ISO/IEC 27001 information security standard is internationally recognized.  The standard was first introduced in 2005 and revised in 2013.  The current version is ISO/IEC 27002: 2013.

The standard is set by the International Organization for Standardization (ISO), an independent, non-governmental international organization with a membership of 165 national standards bodies.

ISO/IEC 27001 outlines what is required to establish, implement, maintain, and improve an information security management system.

While more comprehensive than either PCI DSS and Cyber Essentials, the ISO 27001 is not yet mandatory in many countries.

The 14 ISO 27001 Controls

The ISO 27001 standard does not provide specific requirements for compliance. Instead, it provides guidelines via a set of fourteen ‘controls’.  These controls are summarized below:

  1. Create an Information Security Policy – An information security policy should lay out how to manage information in accordance with laws, regulations, and business requirements, providing direction and support for your employees. The document should be regularly reviewed to ensure it remains suitable and effective.
  2. Implement and manage Information Security – This control provides a mechanism for managing information security within an organization. The ISO 27001 standard provides a framework for managing information security for various aspects of your organization, such as remote working.
  3. Ensure HR receive training and raise awareness – Employees should be made aware of their responsibilities towards information security. If necessary, they should receive training for their roles if they can control or affect information security.
  4. Secure Organizational Information Security Assets – Devices used for information storage and processing can be considered ‘Information security assets’. Organizations should identify and classify information security assets based on the sensitivity of the data they handle.
  5. Use Access Control to protect data – Staff and third-parties must have restrictive access to your data. The ISO 27001 standard shows how formal processes can be used to grant and revoke user rights.
  6. Use Cryptography to protect the Confidentiality and Integrity of data – Tools such as encryption should be used to maintain the confidentiality and integrity of your data.
  7. Block unauthorized physical access to your workplace – The physical locations of information security assets must be protected from unauthorized access and natural disasters.
  8. Deploy secure configurations for operational infrastructure – To achieve and maintain ISO 27001 standards, an organization must ensure operational infrastructure is securely configured. This may include deploying antivirus software to protect against malware and data loss, changing default settings and passwords on devices, and gathering and documenting any security vulnerabilities.
  9. Secure configurations for network infrastructure – For ISO 27001 compliance, businesses need to monitor and control their network traffic, ensure their systems using the network are secured using devices such as firewalls, and ensure security features and management requirements for the network are identified.
  10. Prioritize security during the acquisition, development, and maintenance of information systems – As a management system, ISO 27001 mandates that security controls are embedded at every level of an information system to prevent the loss or misuse of information.
  11. Ensure suppliers comply with information security – Under ISO 27001, your suppliers are required to comply with the same security requirements you’ve implemented for your organization.
  12. Manage information security incidents effectively – In the event your systems are breached, or an accident occurs, you need to communicate the details of the incident and event effectively. You will also need to collect and preserve evidence for further analysis and develop processes for improving information security and implement measures to prevent the incident from repeating.
  13. Avoid interrupting business continuity due to information security failures – ISO/IEC 27001 provides a step-by-step process for ensuring your business continues to operate following a breach. A vital part of this is ensuring information systems can be still accessed during and after an incident.
  14. Ensure compliance with information security policies and standards – Your business should never breach any law or security standard. The ISO/IEC 27001 standard provides guidance for obtaining and maintaining compliance.

ISO 27001 vs PCI DSS and Cyber Essentials

Comparing ISO 27001 vs PCI DSS, what is immediately evident is that the ISO 27001 standard is far more comprehensive, covering a broader scope.  This is understandable since the ISO/IEC 27001 standard is an information standard management system.

Additionally, when assessing ISO 27001 vs PCI DSS, it is clear that there is some overlap between the PCI DSS Goals and ISO 27001 Controls.  In particular, access control, information security policy, a secured network, encryption and antivirus, feature in both standards.

To learn more about ISO 27001, read our article, ISO/IEC 27001 Explained: What is ISO27001?

The Five Cyber Essentials Technical Controls

The requirements for Cyber Essentials and Cyber Essentials Plus certification are built around five technical controls.

An overview of each Cyber Essentials control is presented below:

  1. Firewall configuration and deployment – The Cyber Essentials certification requires a firewall to be configured and deployed to protect all devices, particularly devices connected to an untrusted or public network.
  2. Ensure devices and software are securely configured – Cyber Essentials requires businesses to reset the manufacturer’s default settings to maximize security. This includes using strong passwords and, where possible, multi-factor authentication.
  3. Use access control – Employees should only have the minimum access needed to perform their role. Privileged accounts should be limited and only used for administrative tasks such as installing software.
  4. Protect against malware – The scheme requires organizations to implement at least one of the following, anti-malware measures (such as antivirus), sandboxing (an access restricted environment), or whitelisting (a list of software permitted to be installed and run on a device).
  5. Keep devices and software updated – Cyber Essentials requires all devices, software, and operating systems must be kept up to date through manufacturer updates (or patches). Devices must be upgraded once the manufacturer or developer no longer supports them.

Cyber Essentials vs ISO 27001 and PCI DSS

Reviewing the requirements for CE shows the similarities between Cyber Essentials vs PCI DSS. ISO 27001, as an ISMS, in comparison, covers a broader scope.

The majority of the PCI DSS objectives can be directly mapped to the Cyber Essentials technical controls.  The exception is the creation of an Information Policy, which the Cyber Essentials Scheme does not mandate.

As with ISO 27001 vs PCI DSS, an overlap also exists between the ISO 27001 and Cyber Essentials Controls, with access control, a secured network, encryption and antivirus, featuring in both standards.

To get started with Cyber Essentials, take a look at our article, Understanding the Cyber Essentials Certification.

PCI DSS vs ISO 27001 vs Cyber Essentials: Which one to opt for?

The Cyber Essentials Scheme provides a robust introduction to cybersecurity.  For businesses looking to tender for UK Government contracts, being Cyber Essentials certified is mandatory.

Both the Cyber Essentials Scheme and PCI DSS requirements align closely.  The only difference being the requirement for an Information Security Policy under PCI DSS.  Consequently, it is not unreasonable for an organization to meet both standards with little effort.

ISO/IEC 27001, on the other hand, is far more comprehensive than either PCI DSS and Cyber Essentials.  As such, achieving ISO 27001 certification requires careful planning, resources and commitment.

Since ISO 27001 is a global standard, businesses that trade internationally, compliance with ISO 27001 standards will provide immense value.

You might also like