Audits are commonly used to ensure that an activity meets a set of defined criteria. For all ISO management system standards, audits are used to ensure that the management system meets the relevant standard’s requirements, the organisation’s own requirements and objectives, and remains efficient and effective. It will be necessary to conduct a programme of audits to confirm this.
Internal audit
Internal audits, as the name would suggest, are those audits carried out by the organisation’s own resources. If the organisation does not have competent and objective auditors within its own staff, these audits can be carried out by a contracted supplier. These are often referred to as “2nd party audits” since the supplier acts as an “internal resource”.
External audit
The term “external audits” most commonly applies to those audits carried out by a certification body to gain or maintain certification. However, the term may also be used to refer to those audits carried out by other interested parties (e.g. partners or customers) wishing to gain their own assurance of the organisation’s ISMS. This is especially true when such a party has requirements that go beyond those of the standard.
PCI DSS audit
A PCI DSS audit is a detailed examination of the security of an organization’s credit-card processing system. PCI QSA Audit consists of both onsite and off-site activities and is performer by a Qualified Security Assessor (QSA) who evaluates an entity’s payment and credit card security implementation against PCI DSS standard.
Infosec Assessors Group provides the PCI DSS audit service, as accredited by the PCI SSC
PCI QSA auditor
Published on March 2022 the new version 4.0 of the PCI Data Security Standard (PCI DSS) replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.
Level 1 Service Providers that store, transmit, or process more than 300,000 credit card transactions annually.
Level 1 Merchant that store, transmit, or process more than 6 000,000 credit card transactions annually.
Any other entities required by their acquirer (regardless of annually upon of transactions)
On-site Annual Security Audit
A detailed on-site assessment provided is by a PCI SSC certified QSA (Qualified Security Assessor) or by a certified ISA (Internal Security Assessor). The Audit is a detailed review of an organization’s card data environment that result in a RoC (Report on Compliance) and AoC (Attestation of Compliance).
External Vulnerability Scan PCI ASV
External network vulnerability scanning is conducted quarterly by a PCI SSC Approved Scanning Vendor (ASV) of all Internet-facing system components that are a part of or provide a path to the cardholder data environment.
Kickoff and Planning
The kickoff is considered the start of the engagement after the agreement is executed. We will discuss the certification process, identify the point of contact from both organizations and timelines for assessment, define a project roadmap and plan the next steps.
Preparation Phase
In the preparation phase, we offer tailor – support approach. It can consist of:
PCI DSS training/workshop – our dedicated to the project QSA auditors will conduct the training at an early stage and explain all requirements of the PCI Standard, which will lead to a better understanding of the process and proper preparation for formal validation
PCI DSS scoping – to take a closer look at network segmentation, inclusion and dependency of any third party/ outsourcing.
Pre-Assessment or full Gap Assessment. Pre-assessment consists of interviews, reviews of documentation and a broadly walk-through to identify gaps and provide recommendations. The GAP Analysis is a more detailed process, we will conduct an “as-is” assessment of your organization to identify gaps in security controls, systems, documentation and the environment against all PCI DSS requirements. The GAP executive summary includes any identified discrepancies and necessary recommendations for action.
Remediation/ Advisory Support. Assistance to provide advisory support for mitigating gaps and collecting evidence software development.
Formal validation
Once all controls are confirmed to be in place, the on-site assessment will begin. It is the formal process in which accredited auditor will conduct the formal assessment against all requirements.
Reporting
The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and collected by the QSA).
The deliverables include:
PCI DSS RoC – Report on Certification
PCI AoC – Attestation of Certification
QSA Certificate
Continual Support
After your successful certification, we provide continual at an in the ongoing maintenance of organization’s compliance – we will provide and discuss changes to the security standard itself, as well as explain and at with emerging issues and questions.