It’s not often we can say this, but 2022 is shaping up to be an exciting time in information governance, especially for those interested in compliance and compliance frameworks.

We started the year in eager anticipation of the new version of the international standard for information security management systems, ISO 27001:2022, soon to be followed by version 4.0 of the PCI DSS standard.  Although we are still waiting for the release of 27001, the release of the guidance (ISO27002:2022) has shown us that the “Annex A” controls have been dramatically improved and updated.

But what has not changed is fundamentally essential for us to establish before we even begin to consider the improvements. PCI DSS is a standard that establishes a baseline for protecting payment card data, while ISO 27001 is an information management system that establishes a framework for protecting data. Both standards focus on technical and organisational controls, but while ISO 27001 is more risk-based, PCI DSS is rule-based.

Please do not underestimate the importance of this.  Organisations (and Consultants) often miss this critical aspect of both standards. Therefore, when we compare PCI DSS and ISO 27001, we’re comparing a set of baseline rules vs a risk-based set of controls. PCI DSS tells you what it expects to see in unambiguous terms, while ISO 27001 expects you to determine what the command will look like.

With this said (and understood), let’s look at new versions of the standards to see what improvements have been made and how they now support each other.

What we know – ISO27001

ISO 27001:2022 is set to be released in Q4 2021, but the guidance on implementing the standard, ISO 27002:2022, was released in February 2022.  We therefore know in advance what the new Controls (often referred to (Read more...)