This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution.
If you would like additional information or assistance with the customization and implementation of a balanced risk
management process for your security program then please contact Mark @ 604-349-6557 or email@example.com
This document compares CyberSecurity Framework ISO/IEC 27001 to PCI DSS. The PCI DSS framework
specializes in protecting cardholder information. The following matrix compares each framework at the
control point level. Control points are designed to mitigate known risks. At a glance the total control
points in use are 210 to 222 respectively. Upon further comparison ISO/IEC 27001 is more mature.
Acting like a true matrix many of the control points do not just apply to a single specific information risk
area, but rather work together like a CyberSecurity web of protection. Internationally accepted ISO/IEC
27001 only represents the minimum standard for effective information security programs. Based on a
formal risk assessment it is possible to increase the level of security where it is justifiable. What is
completely missing from PCI DSS is the Management System.
4.Context of the organization 8
9.Performance evaluation 29
Control Points: 148
What’s missing in PCI DSS? Why the entire ISO/IEC 27001 management system listed in clauses 4 –
10 making up 148 control points list below.