Once the committee is selected, committee members should assign different roles. One of the most critical committee roles is a dedicated project manager. As part of your PCI DSS compliance committee, having a project manager is critical for continuous compliance and minimizing any potential “fire drills” you may encounter during the annual PCI compliance validation or quarterly internal reviews. Ongoing compliance requires centralized coordination of numerous resources, actions, projects, and people. A project manager should collect, collate, and store evidence to demonstrate how ongoing PCI security controls operate effectively and continuously.
Building a common internal controls framework is the key to simplifying annual PCI DSS compliance certification. Organizations often have to comply with multiple frameworks. Building a framework crosswalk allows you to map your controls to multiple frameworks at once and reduce or eliminate redundant testing. The committee project manager can lead the process for identifying the potential control frameworks to include in the crosswalk. The most commonly combined frameworks include PCI DSS, NIST CSF, and ISO 27001. An effective crosswalk allows you to test more efficiently and reduce audit fatigue.
Mapping your common control framework is a powerful exercise. Using purpose-built software like AuditBoard’s integrated compliance management solution, organizations streamline framework gap assessments and easily create a standard controls framework to avoid redundant testing.