This document discusses integrating and auditing against multiple IT and security standards, including ISO 27001, PCI DSS, SAS 70, and ISO 20000. It outlines common requirements between the standards, differences in their bases and emphases, challenges of relying on other auditors' work, and pros and cons of an integrated audit approach.

1. Integrating Multiple IT & Security Standards a perspective from an auditee as well as an auditor Muhammad Faisal Naqvi CISSP, CISA, ISO27K LA & I, ISO20K I, AMBCI Information Security Officer Confidential

8. Common Clauses PCI-DSS v2.0 SAS 70 ISO/IEC 27001:2005 Req 12: Maintain a policy that addresses information security for all personnel. CG (7.0)-Corporate Governance E1 (1.0)-Organization and Administration (Executive Tone) CCP (2.0)-Client Contract Process CPP (2.1)-Client Provisioning Process IPP (2.2)-Internal Provisioning Process A.5 Security policy A.6 Organization of information security Req 7: Restrict access to cardholder data by business need to know SAR (10.0)-Shipping and Receiving Activities A.7 Asset management Req 8: Assign a unique ID to each person with computer access HR1 (1.1)-Organization and Administration (Human Resources) LS3 (5.2)-Logical Security (Access Removal & Termination Procedures) A.8 Human resources security

9. Common Clauses ( Cont …) PCI-DSS v2.0 SAS 70 ISO/IEC 27001:2005 Req 9: Restrict physical access to cardholder data PS2 (8.0)-Physical Security ES2 (9.0)-Environmental Security A.9 Physical and environmental security Req 1 & 2: Build and Maintain a Secure Network Req 4: Encrypt transmission of cardholder data across open, public networks Req 5: Use and regularly update anti-virus software or programs Req 10: Track and monitor all access to network resources and cardholder data NS1 (6.0)-Network Security COP (6.1)-Computer Operations A.10 Communication and operational management Req 3: Protect stored cardholder data Req 7: Restrict access to cardholder data by business need to know LS1 (5.0)-Logical Security (Policies/Procedures & Passwords/Rules) LS2 (5.1)-Logical Security (Provisioning & Access Rights) A.11 Access control

10. Common Clauses ( Cont …) PCI-DSS v2.0 SAS 70 ISO/IEC 27001:2005 Req 6: Develop and maintain secure systems and applications CCM (4.0)-Change Control Management (Client Facing) CCM (4.1)-Change Control Management (Internal) A.12 Systems development and maintenance IM (3.0)-Incident Management (Client Facing) IM (3.1)-Incident Management (Internal) A.13 Information security and incident management BCM (12.0)-Business Continuity Management ER (11.0)-Emergency Response A.14 Business Continuity Plan Req 11: Regularly test security systems and processes ES3 (9.1)-Facility Inspection and Documentation A.15 Compliance

11. Common Clauses ( Cont …) BS ISO/IEC 27001:2005 ISO/IEC 20000-1:2011 A.10.2.1 Service delivery 6.1 Service level management A.10.2.2 Monitoring and review of third party services 6.2 Service reporting A.14 Business continuity management 6.3 Service continuity and availability management 6.4 Budgeting and accounting for IT services A.10.3.1 Capacity management 6.5 Capacity management 4. Information security management system 6.6 Information security management A.6.2.2 Addressing security when dealing with customers 7.2 Business relationship management

12. Common Clauses ( Cont …) BS ISO/IEC 27001:2005 ISO/IEC 20000-1: 2011 A.6.2.3 Addressing security in third party agreements A.10.2 Third party service delivery management 7.3 Supplier management A.13 Information security incident management 8.2 Incident management A.13.2 Management of information security incidents and improvements 8.3 Problem management A.10.1.2 Change management 9.1 Configuration management A.12.5.1 Change control procedures A.12.5.3 Restrictions on changes to software packages 9.2 Change management 10.1 Release & deployment management process A.7 Asset management 4.4 Asset management