ISO 27001 is a broad ISMS covering any information asset. PCI DSS is narrow and contractual — if you store, process or transmit card data, the card brands (Visa, Mastercard, AmEx, Discover, JCB) require PCI DSS.
Any organisation managing sensitive information — not just card data.
Merchants, service providers, payment processors handling cardholder data (CHD) or sensitive authentication data (SAD).
All ten dimensions head-to-head:
| Aspect | ISO 27001 | PCI DSS |
|---|---|---|
| Scope | Entire ISMS, any information | Cardholder data environment (CDE) only |
| Mandatory? | Voluntary | Contractually mandatory for card-data handlers |
| Issuer | ISO/IEC | PCI Security Standards Council (Visa/MC/Amex/Discover/JCB) |
| Output | Certificate | Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ) |
| Levels | Single certification | Level 1–4 by transaction volume |
| Assessor | Accredited CB auditor | Qualified Security Assessor (QSA) or internal |
| Frequency | Annual surveillance | Annual ROC/SAQ + quarterly ASV scans |
| Specificity | Risk-based, organisation-defined controls | Prescriptive (12 requirements, ~300 sub-requirements) |
| Cost (SME) | £15k–£40k | SAQ: free–£5k; ROC: £20k–£100k+ |
| Overlap | ~40–60% with PCI DSS controls | ~40–60% with ISO 27001 Annex A |
Choose ISO 27001 when your buyers ask for it; you don’t handle card data; or you want a holistic ISMS.
Choose PCI DSS — mandatory — if you store, process or transmit cardholder data in any way.
If you process card data you need PCI DSS regardless. Adding ISO 27001 strengthens your broader ISMS, satisfies non-PCI buyers, and reuses ~50% of the same controls.
No — it’s a contractual standard imposed by the card brands. Non-compliance can lead to fines and loss of card-processing rights, but it is not statutory.
Self-Assessment Questionnaire — a simplified compliance route for smaller merchants who handle fewer transactions and use certified providers.
More customisable approach, stronger authentication requirements (MFA everywhere), continuous validation focus, expanded scope of cardholder data environment definition.
No — ISO 27001 cannot substitute. But the overlap reduces effort significantly.
Both standards have free interactive gap-analysis tools — no sign-up, no install.