ISO 27001 and PCI-DSS are two of the most widely demanded compliance standards in enterprise technology. ISO 27001 provides a comprehensive framework for managing information security across the entire organisation, while PCI-DSS focuses specifically on protecting payment card data. Many organisations need both — and the good news is that significant control overlap means a coordinated implementation saves time and cost.
This roadmap walks through the practical steps of achieving compliance with both standards, based on our experience guiding regulated organisations through successful certifications.
Understanding the Standards
ISO/IEC 27001:2022
ISO 27001 is the international standard for Information Security Management Systems (ISMS). It requires organisations to:
- Systematically examine information security risks, considering threats, vulnerabilities, and impacts.
- Design and implement a coherent set of controls to address those risks.
- Adopt an overarching management process to ensure controls remain effective over time.
The 2022 revision reorganised Annex A into 93 controls across four themes: Organisational (37), People (8), Physical (14), and Technological (34). New controls include threat intelligence, information security for cloud services, ICT readiness for business continuity, and data masking.
PCI-DSS v4.0
PCI-DSS is a set of security standards for organisations that handle branded credit cards. Version 4.0 (mandatory from 31 March 2025) introduces:
- Customised approach — Allows organisations to meet objectives using alternative controls, provided they demonstrate equivalent security.
- Enhanced authentication — MFA required for all access to the cardholder data environment (CDE), not just remote access.
- Continuous compliance — Emphasis on security as a continuous process, not an annual audit exercise.
Phase 1: Scoping (Weeks 1–4)
ISO 27001 Scoping
Define the boundaries of your ISMS:
- Which business processes, locations, and technologies are in scope?
- What are the internal and external issues relevant to the ISMS (Clause 4.1)?
- Who are the interested parties and what are their requirements (Clause 4.2)?
Tip: Start with a scope that is achievable. Many organisations begin with a specific division or product, then expand.
PCI-DSS Scoping
Map the cardholder data environment (CDE):
- Where is cardholder data (CHD) and sensitive authentication data (SAD) stored, processed, or transmitted?
- What systems, people, and processes touch CHD?
- Can you reduce scope through network segmentation, tokenisation, or outsourcing to a PCI-compliant payment processor?
Tip: Scope reduction is the single most impactful cost-saving measure in PCI-DSS compliance. If you can tokenise CHD so it never touches your systems, your scope shrinks dramatically.
Phase 2: Gap Assessment (Weeks 3–8)
Assess your current state against each standard's requirements:
- Document review — Collect existing policies, procedures, network diagrams, asset inventories, and previous audit reports.
- Control-by-control assessment — Rate each ISO 27001 Annex A control and each PCI-DSS requirement as Implemented, Partially Implemented, or Not Implemented.
- Vulnerability and penetration testing — Required by both standards. Engage a qualified assessor or internal team.
- Staff interviews — Verify that documented processes are actually followed in practice.
The output is a gap report with prioritised findings, estimated remediation effort, and a recommended timeline.
Phase 3: Remediation and Implementation (Weeks 6–24)
This is where the real work happens. Key workstreams include:
Policies and Documentation
- Information Security Policy (mandatory for both ISO 27001 and PCI-DSS).
- Risk assessment and treatment methodology (ISO 27001 Clause 6.1).
- Statement of Applicability (SoA) listing all 93 ISO 27001 controls and justification for inclusion/exclusion.
- Access control policy, acceptable use policy, incident management procedure, change management process.
- PCI-DSS-specific: CDE network diagram, data flow diagrams, encryption key management procedures.
Technical Controls
- Access control — RBAC, MFA, privileged access management, quarterly access reviews.
- Encryption — Data at rest (AES-256) and in transit (TLS 1.2+). For PCI-DSS: strong cryptography for CHD storage and transmission.
- Logging and monitoring — Centralised logging, SIEM integration, alerting on security events. PCI-DSS requires log review at least daily.
- Network security — Firewall configuration, segmentation, intrusion detection, wireless security.
- Vulnerability management — Regular scanning (at least quarterly for PCI-DSS), timely patching, and penetration testing (at least annually).
- Endpoint protection — Anti-malware, EDR, device encryption, mobile device management.
People and Awareness
- Security awareness training for all staff — both standards require it.
- Role-specific training for developers (secure coding), system administrators (hardening), and incident responders.
- Background checks for personnel with access to sensitive data.
Phase 4: Internal Audit and Management Review (Weeks 20–26)
ISO 27001 requires:
- Internal audit — An independent review of the ISMS. The auditor must be objective (cannot audit their own work). Address any nonconformities before the certification audit.
- Management review — Top management formally reviews the ISMS performance, resource adequacy, and improvement opportunities. Document the minutes and decisions.
PCI-DSS requires a similar self-assessment (SAQ) for smaller merchants, or a Report on Compliance (ROC) prepared by a Qualified Security Assessor (QSA) for larger organisations.
Phase 5: Certification and Ongoing Compliance (Weeks 24–30+)
ISO 27001 Certification Audit
The certification audit has two stages:
- Stage 1 (documentation review) — The certification body reviews your ISMS documentation, Statement of Applicability, risk assessment, and internal audit results. They identify any areas of concern before the on-site audit.
- Stage 2 (on-site audit) — Auditors verify that the ISMS is implemented and effective. They interview staff, review evidence, and observe processes. Any major nonconformities must be resolved before certification is granted.
Certification is valid for 3 years, with annual surveillance audits.
PCI-DSS Validation
Depending on your merchant level:
- Level 1 (>6M transactions/year) — Annual ROC by a QSA + quarterly ASV scans.
- Levels 2–4 — Self-Assessment Questionnaire (SAQ) + quarterly ASV scans.
Control Overlap Between ISO 27001 and PCI-DSS
Approximately 60–70% of controls overlap between the two standards. Key shared areas include:
- Access control and authentication (Annex A.5, A.8 / PCI Req. 7, 8)
- Encryption (A.8.24 / PCI Req. 3, 4)
- Logging and monitoring (A.8.15, A.8.16 / PCI Req. 10)
- Vulnerability management (A.8.8 / PCI Req. 6, 11)
- Incident management (A.5.24–5.28 / PCI Req. 12.10)
- Security awareness (A.6.3 / PCI Req. 12.6)
- Physical security (A.7 / PCI Req. 9)
By implementing these controls once to satisfy both standards, you avoid duplication and reduce audit fatigue.
How Aydahwa Enterprise Can Help
Aydahwa Enterprise has guided organisations across banking, fintech, healthcare, and telecoms through successful ISO 27001 certifications and PCI-DSS assessments. Our compliance services include:
- Gap assessments mapped to ISO 27001:2022 and PCI-DSS v4.0.
- ISMS design and documentation.
- Technical control implementation and hardening.
- Internal audit services.
- Pre-certification readiness reviews.
- Ongoing compliance management and annual surveillance support.
Contact our compliance team to discuss your certification roadmap.
