Contact us
PCI-GO
  • Dashboards
  • PCI eBook
  • Blog

PCI Newsletter #51 - PCI Audit process - Be  ready for your PCI audit

2/27/2017

0 Comments

 
Picture
Would you ever take an exam without a minimum of readiness? The answer will probably depend on your willingness to succeed it. In their PCI DSS compliance report Verizon underlines how challenging it is for organizations to maintain their compliance level. Causes are multiple. The Holy grail in pocket, organizations tempt to let down their guard and turn their attention and resources to more « Important and urgent » matters. Follow up with the ongoing and periodic PCI controls require dedicated resources and time, both in shortage. But in my opinion the most contributing factor is the absence or lack of audit tactic and readiness.

Audit process

An audit process encompasses the following phases: 
  • Audit Preparation (see further)
  • On-site QSA’s audit. QSA’s perform interviews and review of evidences
  • Report redaction and delivery. QSA's write and deliver the ROC (report on compliance)
  • Internal review. Organization reviews the findings and if necessary draw up a remediation plan
  • Remediation implementation. Organization fixes the findings
  • QSA's validation. QSA’s validate the fixing and hopefully deliver the Holy grail!

Audit Preparation

This phase often shorten and neglected includes the following activities: 
  • Define audit timeline (see details further down)
  • Validate the PCI DSS scope (together with the QSA)
  • Validate third parties PCI Compliance such as hosting providers, payment gateways.
  • Perform an internal gap analysis / review of your compliance status against the standard 
  • Fix deviations (if any)
  • Collect and document evidences. As John Adams stated it: "Facts are stubborn things" - Properly executed this activity provides strong confidence both to the organization and QSA's of the readiness and carefulness of the organization for this audit. However due to its heaviness it is often neglected. ​​ Use our "Book of evidences" for this purpose.

At the end of this phase, you should have ready the:
  • Validated PCI DSS scope
  • Validated Third parties PCI Compliance
  • Reviewed Policies and Procedures
  • Reviewed network and data flow diagrams
  • Completed your Evidence book.

Timing

The first element to consider in your audit tactic is TIME. Do not be stingy with your time. Give you sufficient slacks to accommodate your readiness. I recommend kicking off your audit preparation 90 days (3 months) before D-day (the first day of the QSA visit). Allocate you also sufficient time to remediate to any potential findings after the on-site. Here as well I suggest the 90 days period with the objective to be certified at the latest 90 days after the D-day (D0). This gives us 180 days to:  Prepare, take the audit, review the audit report, draw up and execute the remediation plan, get them validated by the QSA and eventually receive of the so long expected AOC. ​

Milestones

Milestone
Description
​D0-90 days
The audit preparation phase starts 90 days prior the audit anniversary (date of latest AOC)
D-day (D0)
The on-site audit starts at the latest on D0 and lasts a defined number of days commonly agreed with the QSA.
D1 = D0 + T days
End of On-site Audit (Ouffff)
D2 = D1 + U days
Delivery of initial audit report and kick-off internal review
D3 = D2 + V days
End of Interval review
D4 = D3 + W days
Delivery of remediation plan and associated timeline to QSA
D5 = D4 + X days
Remediation plan is executed. Come on braced yourselves.
D6 = D5 +  Y days
QSA validates fixing
D7 = D6 + Z days
QSA delivers final ROC and AOC
D8 = D6 
Champagne!! Cheering & Lauding
D9= D8 + 1
Back to work
Resources
Picture

  • EBook: PCI DSS 3.2 - That’s the Way It Is.
  • PCI DSS V3.2 Compliance Dashboard
  • PCI Calendar App - Never miss a milestone again
  • Ready to use PCI Procedures & Templates

0 Comments

    Archives

    October 2023
    September 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    April 2020
    July 2019
    February 2019
    January 2019
    August 2018
    May 2018
    February 2018
    January 2018
    December 2017
    October 2017
    July 2017
    June 2017
    April 2017
    February 2017
    January 2017
    December 2016
    July 2016
    June 2016
    May 2016
    April 2016
    February 2016
    January 2016
    October 2015
    August 2015
    January 2015
    July 2014

    RSS Feed

Powered by Create your own unique website with customizable templates.