We often get asked ‘how will your toolkit support my compliance project?’ and responding with ‘it just will’ isn’t much of an answer. So, when our QSA came into the office last month we thought we’d ask how he uses the toolkit to help his on-site clients.
The PCI DSS Documentation Toolkit is ideal for any small or medium-sized business that deals with payment card data because it lets you take advantage of QSA knowledge and guidance to accelerate your PCI DSS compliance project. It’s basically a shortcut through the documentation, with extra features to streamline the rest of the process.
For any PCI DSS project, you need to establish the scope and be sure that you have clearly defined the perimeter of your compliance project. Working out the scope also requires you to conduct a gap analysis, which gives you a direction for your project and helps you to establish initial planning.
Our customers buy the toolkit because they want to carry out the project themselves, reducing associated costs. To help this process, we provide some guidance to scoping your project in the toolkit, as well as a gap analysis tool – tools that will help organisations to set the perimeter and identify the scope of the project.
The outputs of your gap analysis will help to inform the steps you take to ensure you start your project in the right direction. Use the Document Checker included in the toolkit to filter the outputs of your gap analysis and identify which policies and clauses you need to address.
Following that, it’s appropriate to establish any existing policies and procedures that you might have in place, and then work out what it is you need to develop.
Our toolkit caters for all those eventualities. Use the Document Checker to select the appropriate policy from the toolkit and edit it to best reflect your environment. It’s not a case of ‘I’ve filled in our company specifics, we’re done’ – you still need to make sure the template is fit for your purposes.
On average, 50% of our policies are used on every engagement – that equates to 15/16 policies that the client would need to draft, taking approximately seven full days in writing, with hurdles such as:
- Meeting requirements
- Information gathering
- Validation checks
Depending on the size of the organisation, there can be several people checking through the work created and the organisation would need to deploy someone for weeks to create and implement a PCI project from scratch.
The PCI DSS Documentation Toolkit gives you all the tools and document templates you need to comply with the PCI DSS. It also establishes the foundations of an information security management system (ISMS) that can be developed into a full ISMS, and can be fully integrated with our ISO 27001 ISMS Documentation Toolkit.