Differences between standards

ISO 9001 is a management system standard for quality management system, whereas ISO 27001 is for information security management system. The eventual output of ISO 9001 is a customer satisfaction, whereas for ISO 27001 it is information risk reduction.

The only area that is common is the existence of document management system and the spirit of plan-do-check-act.

ISO 9001 is fairly a general standard focusing on quality management system, for all type of organizations. However ISO 20000 is purely IT service quality. Domains such as configuration management have no ISO 9000 equivalence. Organizations choosing to implement ISO 9001 for IT departments should chose ISO 20000 as the latter provide a better return on investment.

The concept of 'quality' and 'customer satisfaction' is a generic objective that exists in both; The principle of Plan-do-check-act is common to all management system standards.

ISO 20000 focuses on quality of IT service delivery, whereas ISO 27001 focuses on information (including IT) risks especially vulnerabilities and their controls; ISO 20000 has components of IT service risks;

ISO 27001 has coverage on other aspects such as legal, physical and HR security whereas ISO 20000 focuses on IT risks only;

Journey of compliance of one standard can reduce the compliance journey of the other by almost half;

One of the key domains of ISO 20000 is information security;
There are several controls on ISO 27001 which are common such as service provider SLA, reference to control on external service providers.
Journey of compliance of one standard can reduce the compliance journey of the other by almost half;

The definition of information in PCI DSS is any card information that is 'stored, processed, and transmitted' in the client environment. The definition of information in ISO 27001 is 'anything that has a business value'.

Both standards are aimed at data protection, the difference in PCI-DSS lies is detailing and specificity. ISO 27001 on other hand is much more generic.

PCI-DSS is very specific on how a control implementation has to be achieved and in case a primary control is not implemented the scope of compensatory control is well defined. ISO 27001 on the other hand has a room for interpretation and may suffer implementation compromise in the hands of the implementers. Elements on database security are much more specific in PCI DSS than ISO 27001.

At the network layer, PCI-DSS principles are fairly covered in ISO 27001. Both standards have a reference to continual improvement.

SSAE 16 implementation can be partly demonstrated by ISO 27002/ISO 27001. A certified ISO 27001 organisation can definitely achieve faster SSAE 16 compliance.

BS 259999 is more holistic whereas ISO 27001 is more information infrastructure; BS 25999 ensures that your 'cash generating' functions are up and running at the earliest in case of a disaster;

ISO 27001 is focused somewhat 'inwards' focusing on protection of assets; it aims at ensuring that critical application/information system that support 'cash generation' are restored;

ISO 27001 as a standard is much more detailed (in terms of 133 control specifications) whereas BS 25999 is generic, and the interpretation can be subject to misuse;

BS 25999 focuses on restoration whereas ISO 27001 focuses on prevention;

Both standards focus on risk assessment as a common point but the objectives are different. ISO 27001 focuses on removing vulnerabilities whose exploit that can result in an incident, whereas BS 25999 focuses on restoration vulnerabilities such as not having a plan in place;

BS 25999 is about business services, whereas ISO 20000 is about IT services;

ISO 20000 has a domain - 'IT service continuity' which requires a plan in case of an outcome;

BS 25999 requires a plan for each individual event and outcome and encompass personnel, infrastructure and network failures;

In the implementation of one standard, the journey of the continuity readiness or continuity capability is built. This reduces the project implementation of the next standard.

For the subject of the business continuity, BS 25999 is more holistic. On the other hand, ISO 24762 is focused on specifics of ICT recovery capability;

One of the key domains of BS25999 is "Developing and implementing BCM response". One of the responses that organisation may have is a hot, warm or cold site. When an organisation has chosen one such option, ISO 24762 acts a good reference point for implementation.

The scope of PCI-DSS is based on the existence of card data in the organisation's network. If you accepts, transmits or stores any cardholder datam PCI is applicable.

SSAE 16 is applicable if you are a service organisation (or simply a vendor or service provider) to a US listed organisation, in other words a publicly owned organisation.

When it comes to specific choice of control PCI is much more specific, whereas SSAE 16 has an element of variability as the organisation is the one which chooses the control objectives.

Controls objectives on network and associated IT infrastructure policies can be demonstrated as evidence for compliance in both the standards. Implementation of one compliance can speed up the implementation of the other given the scope of the organisations' requirement is identical.