The recently published, Simplify Cybersecurity With PCI, by Heidi Shey and John Kindervag is an interesting and valuable read. The premise is that the government regulations (any really) are generally obtuse and ideal focused without prescriptive how-to descriptions. While the payment card industry standard (PCI DSS v2.0 in this case) is direct on what and how technology controls should be deployed. The authors present a synergy that exists that can help an organization establish a security program.
I would definitely recommend businesses struggling to establish a security program to review the concept. I would challenge those involved in establishing security programs and enhancing such programs to focus on their core business strategies and focus on an iterative cycle, and not simply a controls exercise. Ultimately I agree there are synergies as described by the authors, and I feel the mappings is quite insightful, but I would pair this with the cyclical nature of an ISMS to round out the edges and make it a more pragmatic and ultimately effective program.
One note also, is that the authors intend that the PCI DSS standard is appropriate for mapping, but I would caution readers and all who utilize PCI DSS. The standard is specifically articulated for a set of risks and typically bounded by scope of the card data environment. When utilizing these standards it is important to eliminate and or address these pre conditional weaknesses first, prior to establishing a proper security, and ultimately compliance program.
Other thoughts? I have personally done many mappings (most recent 134 global regulations and guidances) and can appreciate the value of such alignments, but also with each standard carries assumptions that must be managed at the program level.