Information security is a crucial priority for many of today’s businesses regardless of their size. To ensure that sensitive customer information is shielded from internal vulnerabilities and external attack, several systems of compliance benchmarks have been developed. Two of the most well-known are Payment Card Industry Data Security Standards (PCI DSS) and the International Organization for Standardization (ISO) 27001.
What is PCI DSS compliance?
The PCI DSS was developed by a consortium of the main players in the credit card industry. All companies that transmit, process or store credit cardholder data are required to comply with these standards. That being said, merchants are assigned to different compliance levels depending on the volume of credit cards they process annually. PCI DSS involves complying with 12 requirements and an added annex. Altogether, there are over 200 controls that are designed to protect customers’ credit card data. In brief, these include:
Presence and maintenance of a security firewall;
System passwords and other security parameters have been changed from vendor defaults;
Stored cardholder data is protected;
All data that is transmitted over public networks is encrypted;
All systems are protected against malware and viruses, with security software upgraded regularly;
Systems and applications are secure; Access to cardholder data is restricted only to those who need it;
Access to system components must be identified and authenticated; Physical access to cardholder data is restricted;
Access to system resources and cardholder data is monitored;
Security systems and protocols are tested regularly;
System security policies are in place; and
Third-party hosting providers must also protect cardholder data.
One size does not fit all when it comes to pci compliance cost. Variables that affect what you pay include:
The size and type of your business, which influences your risk level and the amount of cardholder data you handle;
Your organization’s security culture, particularly the importance upper management places on data safety;
Your company’s IT environment, including network design, technologies used, types of systems and mobile devices in your system;
The number of internal and external staff dedicated to PCI compliance; and
Whether your acquirer bank pre-pays for part or all of PCI Compliance.
The full compliance suite generally contains a self-assessment questionnaire (SAQ), vulnerability scanning, training and policy development and remediation. PCI certification cost anywhere from $300 or more for a small business to up to $70,000 for a very large organization. Although tiny companies may find it unnecessary and not cost-effective, larger entities often benefit from the services of a qualified security assessor (QSA). Although these can cost $15,000 annually, many businesses find it to be worth the price when compared to what they would have to pay in the event of a data breach.
What is ISO 27001 compliance?
Like PCI DSS, ISO 27001 is a set of standards designed to help companies keep their data secure. However, ISO 27001 is an international standard that is recognized around the world. Although implementing it is not mandatory, this suite of requirements can be used by any organization that has an information security management system (ISMS). In simple terms, ISO 27001 has seven requirements:
Context. Understand all factors that affect information security; identify all stakeholders and what each needs; and specify all who interface with or depend on the organization for security protection.
Leadership. Establish how management propose to protect information; institute a policy that spells out the vision; specify the roles, responsibilities and authorities for security enforcement.
Planning. Explain how the security scenario will be implemented, including identifying and mitigating risks and attaining objectives.
Support. Describe how leadership’s plans for security implementation will be supported. This includes resources, skills, awareness both of security plans and the consequences of noncompliance, communications and documentation.
Operation. Security and risk reduction plans must be implemented. This includes specifying tracking and documentation and ensuring that security risk assessments are conducted, documented and implemented.
Evaluation. In this stage, the company assesses how well its risk management and security measures are performing. This involves establishing metrics for monitoring, measuring, analyzing and evaluating security systems, conducting internal audits for ISO 27001 compliance and establishing a process allowing management to review the effectiveness of the security and risk management procedures.
Improvement. In this stage, gaps and vulnerabilities are rectified. It includes identifying issues, finding their root causes and taking corrective action and continuing to make improvements to ensure that information security management is effective, appropriate and reasonable.
Successful implementation of the seven business processes will lead to ISO 27001 compliance.
You can expect an ISO 27001 audit cost to vary according to several factors:
The size of your company and the scope of the certification;
Current compliance level of your ISMS;
Gap between where you are and where you want to be in terms of your ISMS control environment;
Your company’s internal ability to close these gaps; and
How quickly you need the certificate.
Although there is no hard and fast number for ISO 27001 certification cost, an average company with 75 employees who needs certification within 12 months and requires ISO 27001 consulting to achieve objectives should expect to pay somewhere around $48,000 for the first year with an internal surveillance audit ($7500) in years two and three and ISMS audits ($7000) annually.
When it comes to information security, every company is unique. Take some time to assess your own needs to discover which type of compliance is right for you. After a thorough evaluation of internal systems, needs and goals, many organizations actually decide that PCI DSS and ISO 27001 are complementary, electing to implement both.