You can’t succeed an audit without a thorough preparation and you can’t be effectively prepared without a clear understanding of what the auditors expectations are and without having drilled your team to the audit process. The reader will refer to our PCI Newsletter #51 for details on the audit preparation phase. This newsletter discusses the auditor expectations and the content of a dry-run exercice.
Auditor expectations
Whenever QSA's take on a mission their ultimate goal is the delivery of a ROC (Report on Compliance). All QSA’s confess that writing this report is a cumbersome and tedious task aiming to document the following evidences:
- Evidence of implementation of all applicable requirements
- Evidence you are in full control of your environment and responsibility areas
- Evidence you abide by your procedures and maintain documentation under your responsibilities.
Have your evidences handy
Avoid uncomfortable situation like « Oh well I will see if I can get you this evidence …. Not sure where to look for..but… » or « I’m not sure to understand … ». My best advise here is to harvest all evidences beforehand. Having these evidences handy is definitely the right approach to leverage auditors confidence and validate your readiness. I’ve build the following template to support this evidence collection process: The Book of Evidences.
About the evidence freshness
Auditors are very fond of fresh evidences (not older than 2-3 months), hence you should be ready to regenerate them on the spot.
About the evidence freshness
Auditors are very fond of fresh evidences (not older than 2-3 months), hence you should be ready to regenerate them on the spot.
Dry-Run execution
There is no better way to spot glitches in your readiness than pushing your team through a dry-run audit. A dry-run could be considered as a formal dress rehearsal wherein acting as the auditor the PCI advisor/coordinator strenuously interview each PCI team members on their roles and request evidences under their responsibilities. This process always pays off. People are not prepared to face the auditor’s questions such as « Oh just one more thing, sir, could you also show me.. » The dry-run process teaches them the auditor language, takes them through the type of questions they could expect and how to prevent dead end situations.
Last recommendations before audit
Here are my latest recommendations to the team before the audit.
- BE PREPARED, BE PREPARED and BE PREPARED
- BE acquainted with the CONTENT of procedures associated to YOUR roles. YOU MUST BE ABLE TO PRESENT AND EXPLAIN THOSE PROCEDURES
- BE acquainted with the CONTENT of security policies. YOU MUST BE ABLE TO PRESENT AND EXPLAIN POLICIES ASSOCIATED TO YOUR ROLE
- BE acquainted with the CONTENT of the security/PCI Awareness sessions.
- BE acquainted with the CONTENT OF The software development life cycle (ONLY FOR developers and testers)
- BE familiar with evidences associated to your role. Use the evidences book as support.
- Introduce yourself with your roles and responsibilities for the topic addressed
- Get all your support materials handy.
- IF asked to demonstrate / show something, details what you are doing to keep active communication with the auditors.
- Whenever possible perform ONLINE /LIVE demonstration as its helps to increase auditors confidence.
- ALWAYS provide clear and straight answers to questions BUT keep your tongue under control. Should the auditors require more information, wait to be asked for.
- Be structured in your presentation and responses.
- Use language level you would adopt with a six years old child. Prevent usage of terminologies that would not be familiar to the auditors or explain.
- For documents under your responsibilities: standard, procedure, policies mention clearly that those document are regularly reviewed and updates to reflect changes.
- REHEARSE ONCE MORE TIME on your side.