ISO 27001
The international standard ISO 27001 sets out the requirements for establishing an information security management system (ISMS). It is intended for any type of organisation that wishes to gain and maintain the confidence of its stakeholders in the management of its information security. Such a system requires establishing security objectives, implementing the means to achieve them, measuring the effectiveness of these means in achieving the objectives, and continuously improving them.
It is a guarantee that the security objectives are not just promises, but that everything is done to achieve them.
Certification to ISO 27001 requires an audit by an independent certification body, which verifies annually the conformity of the ISMS to ISO 27001 and its effectiveness in achieving the security objectives. A certificate is issued for a period of three years and renewed every three years. Audits are conducted annually to verify the health of the ISMS.
PCI DSS
The payment card industry requires all actors that process, transmit or store payment cards to be PCI DSS compliant. This standard specifies a set of organisational and technical security measures that must be implemented across the entire perimeter of machines that can impact the security of payment card data. PCI DSS thus covers the areas of network security, card encryption, vulnerability management and secure development, access control, supervision and security testing.
It is the number of card transactions that determines how PCI DSS compliance is assessed. For KDS, PCI DSS compliance assessment requires an audit by a Qualified Security Assessor who writes a report on KDS’s compliance, and produces a certificate of compliance annually.