TheArtOfService
Cross-Framework Mapping

PCI DSS v4.0vsISO 27001:2022

See exactly how PCI DSS v4.0 controls map to ISO 27001:2022. Pre-computed mappings, identified gaps, and coverage analysis.

179
Controls Mapped
0
Gaps Found
86%
Coverage

According to the TheArtOfService Compliance Knowledge Graph:

PCI DSS v4.0 maps to ISO 27001:2022 with 86% coverage across 54 directly mapped controls. Analysis of 63 PCI DSS v4.0 controls identifies 9 compliance gaps — primarily concentrated in Req 3 - Protect Stored Account Data.

Source: TheArtOfService Knowledge Graph | 63 controls analysed | 693 frameworks | 820K+ cross-framework mappings

Control Mappings

Showing 20 of 179 mapped controls across 12 domains. Sign up to explore all 820K+ mappings across 693 frameworks.

Req 1 - Network Security Controls(18 mappings)

PCI-1.1Processes and mechanisms for network security controls are defined and understood3 targets
ISO27001-A.5.37Operational procedure documentation
ISO27001-A.8.20Network infrastructure security
ISO27001-A.8.27Secure architecture and design principles
PCI-1.2Network security controls are configured and maintained2 targets
ISO27001-A.8.20Network infrastructure security
ISO27001-A.8.27Secure architecture and design principles
PCI-1.3Network access to and from the cardholder data environment is restricted6 targets
ISO27001-A.8.12Unauthorised data exfiltration prevention
ISO27001-A.8.20Network infrastructure security
ISO27001-A.8.22Network segmentation and zoning
ISO27001-A.8.23Internet content filtering controls
ISO27001-A.8.27Secure architecture and design principles
ISO27001-A.8.31Environment separation for dev, test, and production
PCI-1.4Network connections between trusted and untrusted networks are controlled5 targets
ISO27001-A.8.12Unauthorised data exfiltration prevention
ISO27001-A.8.20Network infrastructure security
ISO27001-A.8.22Network segmentation and zoning
ISO27001-A.8.23Internet content filtering controls
ISO27001-A.8.27Secure architecture and design principles
PCI-1.5Risks to the CDE from computing devices connecting to untrusted networks are mitigated2 targets
ISO27001-A.6.7Secure remote and hybrid working
ISO27001-A.8.20Network infrastructure security

Req 10 - Log and Monitor(2 mappings)

PCI-10.1Processes for logging and monitoring access are defined and understood2 targets
ISO27001-A.5.37Operational procedure documentation
ISO27001-A.8.16Continuous activity and anomaly monitoring

+159 more mappings

Plus AI-powered gap analysis, compliance advisory, PDF exports, and cross-mapping for all 693 frameworks.

Create Free Account →

Free forever — no credit card required

Related Comparisons

Other PCI DSS v4.0 comparisons

PCI DSS v4.0 vs ASD Information Security Manual (ISM)28 mappingsPCI DSS v4.0 vs CSA CCM v427 mappingsPCI DSS v4.0 vs AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)27 mappingsPCI DSS v4.0 vs UK Gambling Commission — Cyber Resilience Requirements26 mappingsPCI DSS v4.0 vs TISAX — Trusted Information Security Assessment Exchange26 mappingsPCI DSS v4.0 vs NRC 10 CFR 73.54 — Nuclear Facility Cybersecurity26 mappingsPCI DSS v4.0 vs PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments26 mappingsPCI DSS v4.0 vs Canada ITSG-33 — IT Security Risk Management26 mappings

Other ISO 27001:2022 comparisons

CSA CCM v4 vs ISO 27001:202288 mappingsNIST SP 800-53 Rev 5 vs ISO 27001:202278 mappingsSOC 2 vs ISO 27001:202272 mappingsNAIC Insurance Data Security Model Law (MDL-668) vs ISO 27001:202267 mappingsNIST Cybersecurity Framework 2.0 vs ISO 27001:202266 mappingsDORA vs ISO 27001:202257 mappingsGDPR vs ISO 27001:202242 mappingsTISAX — Trusted Information Security Assessment Exchange vs ISO 27001:202226 mappings

Stop Paying Consultants to Read Spreadsheets

AI-powered compliance intelligence across 693 frameworks — at a fraction of consulting costs.

$0/forever

Free

  • 693 framework browser
  • Cross-framework mappings (820K+)
  • 824 compliance assessments
  • 3 AI queries & searches per day
Get Started Free
Recommended
$49/month

Professional

  • Unlimited AI Compliance Advisory
  • Unlimited full-text search
  • Framework self-assessment
  • PDF, Excel & CSV exports
Start 7-Day Free Trial →

Popular framework comparisons

NIST CSF vs NIST 800-53ISO 27001 vs NIST CSFCMMC vs NIST 800-53FedRAMP vs NIST 800-53NIST CSF vs SOC 2HIPAA vs NIST 800-53ISO 27001 vs SOC 2ISO 27001 vs ISO 27701

What are the key differences between PCI DSS v4.0 and ISO 27001:2022?

PCI DSS v4.0 has 63 controls across its framework, while ISO 27001:2022 covers 95 controls. Direct mapping analysis identifies 54 overlapping controls (86% coverage). The frameworks diverge most significantly in Req 3 - Protect Stored Account Data, where 4 PCI DSS v4.0 controls have no direct ISO 27001:2022 equivalent.

How many controls map between PCI DSS v4.0 and ISO 27001:2022?

Of 63 total PCI DSS v4.0 controls, 54 map directly to ISO 27001:2022 controls — representing 86% coverage. The remaining 9 controls represent compliance gaps requiring additional documentation or compensating controls to satisfy both frameworks simultaneously.

What are the compliance gaps when mapping PCI DSS v4.0 to ISO 27001:2022?

9 PCI DSS v4.0 controls have no direct equivalent in ISO 27001:2022. The highest concentration of gaps is in Req 3 - Protect Stored Account Data with 4 unmapped controls. These gaps represent areas where additional controls, policies, or documentation must be created to achieve compliance with both frameworks.

Which control domains have the most gaps between PCI DSS v4.0 and ISO 27001:2022?

The domain with the highest gap count is Req 3 - Protect Stored Account Data (4 gaps). Export the full domain-by-domain gap breakdown via the Professional tier to generate a prioritised remediation roadmap.

Related Resources

How to Map Controls Across Frameworks|Multi-Framework Compliance Guide|Compliance Glossary

This platform provides educational compliance tools, not legal, regulatory, or professional compliance advice. Cross-framework mappings are AI-assisted interpretations and do not reproduce or replace official standards. Framework names and trademarks belong to their respective owners. Consult qualified professionals for your specific compliance requirements. See our Terms of Service.