@Rich

ISO 9001 is a Quality Management System not a Quality Standard (QMS). Just like ISO 27001 is a Information Security Management System (ISMS) not a Security Standard. The ISMS is part of an overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. It has 133 controls defined by Annex A defined as the normative for control objectives and controls.

The 133 controls is the begin of your summary of controls. These 133 control are just a starting point you may need to add more controls to build your catalog of controls.

PCI DSS does make great strides at addressing the inherent risk of maintaining card holder data. I would like to hear an argument of organization that has implemented PCI DSS without reducing the residual risk. Residual risk should be used as a key performance indicator (KPI) for measure the relevance to security not the individual incidents.