Compliance or Conformity
Compliance is not security, or is it? There is a view (anecdotal) that compliance is not security. To be more precise, information and cyber security. For those aware of this standard, ISO/IEC 27001:2013 (information security management system, requirements) asks those organisations seeking certification to conform to its requirements. On the other hand, the Payment Card Industry (PCI) security standards, and for example the Data Security Standard (PCI DSS), requires compliance. Conformity or compliance; in the cases above they both seek to achieve something similar; security, in the context of information and cyber security, by ensuring that important data assets are protected (specifically card holder data for PCI DSS, and ‘other’ sensitive and critical information/data for ISO/IEC 27001:2013). Having generalised with the use of the word ‘other’ for 27001, in truth if card holder data were in scope then in fact ‘other’ would include cardholder d...