ISO 27001 and PCI DSS implementation and certification
Introduction to security standards
The international standard ISO/IEC 27001:2013 “Information technology – Security techniques – Information security management systems – Requirements” is the most recognized worldwide framework for building modern Information Security Management Systems (ISMS) and their official certification.
The Payment Card Industry Data Security Standard (PCI DSS) is an official regulation for any merchant and service provider who use payment card technology, either for card-present or card-not-present transactions (e. g. e-commerce). PCI DSS compliance is required for any organization that processes or stores cardholder data, i.e. has the Cardholder Data Environment (CDE).
Implementation and corresponding certification process for ISO 27001 and PCI DSS, from the point of view of service delivery, are similar. Compliance plays formal role, whereas actual security does not always correspond to the compliance status. Since we are practical security specialists and white-hat hackers, we help our customers to build not only formal compliance, but also actual protection from modern threats. Real security is not only a set of solutions, policies and procedures. It is also the culture of security, secure mindset and behavior of your personnel.
Our certifications (CISSP, ISO 27001 Lead Auditor, PCI Professional, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management. When building an ISMS or security controls, we rely not only on ISO 27001/27002 or PCI DSS, but also actively use other standards and frameworks, when this is appropriate or explicitly required by our customers or their partners. For example, Information Security Forum Standard of Good Practice for Information Security (ISF), Control Objectives for Information & Associated Technologies (COBIT), Information Security Assessment of the Verband der Automobilindustrie (Association of the German Automotive Industry, ISA VDA), TISAX (Trusted Information Security Assessment Exchange) and so on.
Our approach to implementation begins with simple steps in order to give you the first value for free, to introduce you to the process and to allow you to understand clearly the essence of the implementation works and your role in them.
Scoping and prioritization
We prepare individual self-assessment questionnaires for our customers, to start assessment of the current state of the ISMS or CDE. Then we define and document the scope (business processes, organizational divisions, premises, networks, sub-networks, network services, etc.), and detail the project plan for the initial audit and gap analysis.
Scope definition is crucial for ISO 27001 and PCI DSS. Any mistakes on this stage can lead to excessive implementation and maintenance works or to wrong outcomes of certification. In addition, we perform initial prioritization of tasks, to allow gaining the most of real security as soon as possible.
We perform this stage for you free of charge. When you understand that you are interested in working with us further, we send you a commercial offer and sign a service agreement.
Initial audit, gap analysis and detailed project planning
We carry out this stage usually during 2 to 5 weeks, depending on the approved scope. During the initial audit, we interview the customer’s employees, verify documents, assess physical security and perimeter, etc.
This stage includes analysis of the initial or current state of the processes and information security management controls, business processes and technological processes; analysis of the physical security of the premises, personnel, IT infrastructure, etc. The outcome of this stage is a report on initial audit, gap analysis and detailed schedule for the implementation of the ISO 27001 ISMS or PCI DSS controls.
The implementation plan takes into account the customer’s capability to perform part of the project tasks.
Implementation of the security processes and operations
This stage is usually performed during 2 to 9 months, depending on the approved scope, initial state, requirements and the results of the previous stage.
This stage includes implementation of:
- security policies and risk management;
- personnel security, physical security and supplier relationship security;
- asset and access management implementation;
- security operations and communications;
- network and system security;
- secure system life cycle, vulnerability management and security testing;
- security event monitoring and incident management;
- business continuity and disaster recovery planning;
- security effectiveness measurement, etc.
During the project, we constantly train your staff on what and how to do in order to build, maintain and develop an ISMS and/or PCI DSS controls. The result of this phase is not just a set of documents and records that correspond to your actual processes, but also a new security culture of your organization and the highest degree of readiness for official certification.
Certification process usually lasts for 1 to 2 months, depending on the approved scope. This stage includes selection of a certification body, pre-audit, corrective actions and certification audit.
First, we help you choose a certification body from a set of reputable, proven organizations, for example, the ones accredited by UKAS (for ISO 27001) or a good QSA company (for PCI DSS). We consult with the certifying organization on your behalf. We inform them about the completed implementation works and get their preliminary agreement for certification.
Then you make an agreement with the certification body directly. They conduct the pre-audit and find inconsistencies that always exist. Such is the nature of the work of real professional auditors. Further, during several days, we perform corrective actions.
Ultimately, the final certification audit is held, where we officially represent you and demonstrate what we have built for you. After that, you get the ISO 27001 or PCI DSS certificate and become officially compliant.
Self-assessment of your security management system
Do you want do estimate the current maturity of your security management system? Just count what percentage of the following your policies and procedures are perfect.
Mandatory policies and procedures, required by ISO 27001:2013:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4)
- Inventory of assets (clause A.8.1.1)
- Acceptable use of assets (clause A.8.1.3)
- Access control policy (clause A.9.1.1)
- Operating procedures for IT management (clause A.12.1.1)
- Secure system engineering principles (clause A.14.2.5)
- Supplier security policy (clause A.15.1.1)
- Incident management procedure (clause A.16.1.5)
- Business continuity procedures (clause A.17.1.2)
- Statutory, regulatory, and contractual requirements (clause A.18.1.1)
Mandatory records required by ISO 27001:2013:
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)
- Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3)
- Procedure for document control (clause 7.5)
- Controls for managing records (clause 7.5)
- Procedure for internal audit (clause 9.2)
- Procedure for corrective action (clause 10.1)
- Bring your own device (BYOD) policy (clause A.6.2.1)
- Mobile device and teleworking policy (clause A.6.2.1)
- Information classification policy (clauses A.8.2.1, A.8.2.2, and A.8.2.3)
- Password policy (clauses A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, and A.9.4.3)
- Disposal and destruction policy (clauses A.8.3.2 and A.11.2.7)
- Procedures for working in secure areas (clause A.11.1.5)
- Clear desk and clear screen policy (clause A.11.2.9)
- Change management policy (clauses A.12.1.2 and A.14.2.4)
- Backup policy (clause A.12.3.1)
- Information transfer policy (clauses A.13.2.1, A.13.2.2, and A.13.2.3)
- Business impact analysis (clause A.17.1.1)
- Exercising and testing plan (clause A.17.1.3)
- Maintenance and review plan (clause A.17.1.3)
- Business continuity strategy (clause A.17.2.1)
Got less than 80%? You definitely need our help!