[tptacek]

Additional color commentary:

27001 is Euro-SOC2. Technically, 27001 is a certification, and SOC2 is just an attestation --- there is an external ground truth that 27001 is matching security programs to, where SOC2 is just validating internal consistency. But the subject matter is the same and they're generally thought of as equivalents for each other, with 27001 being the more rigorous.

Ironically, COBIT is the IT-focused equivalent of COSO --- in other words, it's the ostensibly more technical set of controls. But SOC2 keys off of COSO, and is audited by accountants, so practitioners are more likely to have experience with the fuzzier COSO controls.

PCI-DSS is an industrywide joke; it's a checklist audit performed by race-to-the-bottom consultancies, which have invariably PCI-certified all of the most egregious payment card breach shops since PCI was standardized. Ironically, as bad as PCI is, it's the controls standard that has probably had the most practical impact, because of how prescriptive it is, and how rote the audits have become. Its impact is still malign!

[kasey_junk]

I had a pci shop try to make us turn _off_ 2fa because it’s not required for our certification level.

[unethical_ban]

Worked at a bank for years. So many things we wanted to do to really get our firewall policies modern and more actionable for the SOC. Layer 7 enforcement, user-based policies, deduplication of rules, more aggressive cleanup.

Things needing to be done a certain way for the auditors was a major hamper in our processes.

I'm now consulting and I have seen people do changes to their policies in such strange ways because they have to jump through ridiculous hoops for their industry regulator.

[tptacek]

Yes. I've come to believe that much of the skill involved in doing security compliance work is in managing (strangling) down the scope of the framework, and almost none of it is in using the framework to inform and improve real security practices. This is what I mean when I keep saying here that these frameworks are not a "good first step". If you don't actually have to engage with them, because your customers aren't demanding it, you should actively avoid them and use that precious time to build a real security practice.

[johngalt]

Agree 100% with this and your other comments. These frameworks often create risks by obscuring reality behind procedure. Sucking up all the air that would go towards more direct security objectives. Businesses think they are done with cybersecurity because they are done with the checklist. Believing we are safe because a non-technical auditor said so, can be a risky spot. Specially if that is used to overrule subject matter experts.

[WelcomeShorty]

> PCI-DSS is an industrywide joke; it's a checklist audit performed by race-to-the-bottom consultancies

We ended up with a consultants from a former Eastern Europe country that charge less per hour then local cashiers make (which is NOT a statement to the quality of said consultants).

I (irregular) deal with PCI-DSS and never ever felt so close to quit my job and become a full time lawn mower.