How long should last an audit?
How long do I have to pass the audit? How many attempts do I have? How long should last an audit? How long should the QSA auditors be on-site? How fast do they have to release the ROC and AOC? How much time am i granted to fix the findings?
These questions pop up every time an organisation gets into the mouth of PCI DSS Harbour where their QSA is expecting them.
The answer is crystal clear: There is no mandate from the PCI SSC regarding assessment timeline.
Organisations are free to draw up their own schedule and milestones with the QSA and acquirers, if any. This is true for the initial audit as well as for the recurring ones. QSA’s mention an average duration of 8-12 week schedule, depending on the complexity of the environment. Of course, non-major remediations can be accommodated within the usual timeline. Bigger items may require to go back to square one.
The major risks of an extended assessment period are:
These questions pop up every time an organisation gets into the mouth of PCI DSS Harbour where their QSA is expecting them.
The answer is crystal clear: There is no mandate from the PCI SSC regarding assessment timeline.
Organisations are free to draw up their own schedule and milestones with the QSA and acquirers, if any. This is true for the initial audit as well as for the recurring ones. QSA’s mention an average duration of 8-12 week schedule, depending on the complexity of the environment. Of course, non-major remediations can be accommodated within the usual timeline. Bigger items may require to go back to square one.
The major risks of an extended assessment period are:
- A change of scope: The assessment necessarily takes a point-in-time approach, but if that point-in-time differs materially from the reality when the AOC is issued, that’s not in anyone’s interest.
- The risk of falling out of compliance: Attestation of Compliance are delivered for a period of one year. Therefore not getting the new AOC before expiration of the current one would induce a non-compliance status.
Getting a PCI DSS Pilot onboard
To minimise the risk of failure, organisations should earnestly consider hiring the service of a PCI DSS ship pilot who will lead them safely to the docking station.
PCI DSS Ship Pilots have extensive experiences of the PCI DSS water and more specifically of on-site audits. They know how QSA’s are working and how to satisfy them.
PCI DSS Ship Pilots have extensive experiences of the PCI DSS water and more specifically of on-site audits. They know how QSA’s are working and how to satisfy them.