Professional Documents
Culture Documents
This work is copyright © 2009, Mohan Kamat and ISO27k implementers' forum, some rights reserved. It is licensed under the
Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and
create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly
attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same
terms as this.).
Mapping ISO 27001 Controls to PCI-DSS V1.2 Requirements
4.2 Never send unencrypted PANs by end-user messaging technologies A.10.8.4 Electronic messaging
6.3.1.5 Validation of proper rolebased access control (RBAC) A.11.1.1 Access Control Policy
Separate development/test and production environments A.10.1.4 Separation of development, test and operational
6.3.2
facilities
Separation of duties between development/test and production A.10.1.3
6.3.3
environments Segregation of duties
6.3.4 Production data (live PANs) are not used for testing or development A.10.1.2 Change Management
6.5.7 Broken authentication and session management A.11.4.2 User authentication for external connections
8.5.5 Remove/disable inactive user accounts at least every 90 days. A.11.2.4 Review of user access rights
Enable accounts used by vendors for remote maintenance only during A.11.4.6 Network Connection Control
8.5.6
the time period needed.
Communicate password procedures and policies to all users who have A.11.2.3 User password management
8.5.7
access to cardholder data.
8.5.8 Do not use group, shared, or generic accounts and passwords. A.11.5.2 User identification and authentication
8.5.9 Change user passwords at least every 90 days. A.11.5.3 Password management system
8.5.10 Require a minimum password length of at least seven characters. A.11.3.1 Password Use
8.5.11 Use passwords containing both numeric and alphabetic characters. A.11.3.1 Password Use
Do not allow an individual to submit a new password that is the same A.11.5.3 Password management system
8.5.12
as any of the last four passwords he or she has used.
Limit repeated access attempts by locking out the user ID after not A.11.5.1 Secure log-on procedures
8.5.13
more than six attempts.
Set the lockout duration to a minimum of 30 minutes or until A.11.5.5 Session time out
8.5.14
administrator enables the user ID.
10.2.5 Use of identification and authentication mechanisms A.11.5.1 Secure log-on procedures
10.3.6 Identity or name of affected data, system component, or resource A.10.10.1 Audit Logging
10.4 Synchronize all critical system clocks and times. A.10.10.6 Clock Syncronisation
10.5 Secure audit trails so they cannot be altered. A.10.10.2 Monitoring system use
10.5.1 Limit viewing of audit trails to those with a job-related need. A.10.10.3 Protection of log information
10.5.2 Protect audit trail files from unauthorized modifications A.10.10.3 Protection of log information
Promptly back up audit trail files to a centralized log server or media A.10.10.3 Protection of log information
10.5.3
that is difficult to alter.
Write logs for external-facing technologies onto a log server on the A.10.10.1 Audit Logging
10.5.4 internal LAN.
A.10.1.1 Documented operating procedures
ISO 27001 Implementer’s Forum © 2009 Internal Use Only Page 13
Mapping ISO 27001 Controls to PCI-DSS V1.2 Requirements
12.3.2 Authentication for use of the technology A.11.5.2 User identification and authentication
12.3.3 A list of all such devices and personnel with access A.7.1.1 Inventory of Assets
Labeling of devices with owner, contact information, and purpose A.7.1.2 Ownership of Assets
12.3.4
A.11.4.3 Equipment identification in networks
12.3.6 Acceptable network locations for the technologies A.11.4.1 Policy on use of network services
12.8.1 Maintain a list of service providers A.10.2.3 Managing changes to third party services
Maintain a written agreement that includes an acknowledgement that A.6.1.5 Confidentiality agreements
12.8.2 the service providers are responsible for the security of cardholder
data the service providers possess.