Implementing PCI DSS from Scratch: Part 11 — Pre-Assessment Checklist & Evidence Collection

You’ve built the controls. You’ve trained your people. Now it’s time to prove it.

Whether you're completing a Self-Assessment Questionnaire (SAQ) or preparing for a QSA-led Report on Compliance (RoC), this phase is all about evidence.

PCI DSS is not about what you say — it’s about what you can show.

✅ What Is the Pre-Assessment Phase?

This is the stage where you:

• Finalize your scope
• Validate that controls are in place and effective
• Gather the documentation and artifacts needed to support each requirement
• Ensure everything is audit-ready — before the audit begins

Think of it as internal QA before the external assessment.

🧾 What You’ll Need to Prepare

Here’s a practical checklist to guide you:

🔹 1. Scope Confirmation

• Final CDE boundary diagram
• Data flow diagrams
• Network topology maps
• Inventory of in-scope systems, applications, and users

🔹 2. Policies and Procedures

• All applicable policies (see Part 10)
• Evidence of review and approval (within 12 months)
• Documented procedures showing how controls are implemented

🔹 3. Security Control Evidence

• Firewall and ACL configurations
• Encryption key management processes
• Antivirus configurations and logs
• System hardening baselines

🔹 4. Access and Authentication

• User access reviews
• MFA implementation documentation
• Password policies
• Termination procedures

🔹 5. Logging and Monitoring

• Sample daily log reviews
• SIEM alert configuration
• File Integrity Monitoring (FIM) reports
• Time synchronization settings

🔹 6. Testing & Scanning

• Internal and external vulnerability scan results (last 4 quarters)
• Authenticated internal scan reports
• Penetration test report and remediation tracking
• ASV attestation (if applicable)

🔹 7. Risk and Incident Management

• Risk assessment report
• Incident response test results and documentation
• Evidence of incident training and drills

🔹 8. Training & Awareness

• Security awareness completion logs
• Role-specific training materials
• Acceptable use acknowledgment records

📁 How to Organize Your Evidence

Structure matters. Here’s a simple method:

💡 Pro tip: Use consistent naming conventions and include dates. A well-organized evidence package shows assessors you’re serious.

🧠 Tips for Internal Validation

• Run a mock assessment with your PCI team
• Use a checklist aligned to your SAQ or RoC template
• Have SMEs walk through control demonstrations
• Validate that screenshots are current and traceable
• Review third-party compliance documentation (e.g., cloud providers)

⚠️ Common Pitfalls to Avoid

• 🔴 Evidence is outdated or missing metadata
• 🔴 Screenshots are unlabeled or lack context
• 🔴 Policy shows intent but no proof of implementation
• 🔴 Scan results missing quarterly history
• 🔴 “We do this” — but can’t show it

📝 Final Thoughts

Good documentation isn’t just for compliance — it’s your internal proof of control maturity.

When the QSA (or your internal auditor) walks in, they’re not just asking, “Did you implement this?” They’re asking: “Can you prove it works?”

Get your house in order now, and your assessment will go from stressful to smooth.

Next up: Part 12 — The PCI DSS Assessment Process

We’ll walk through what to expect during the actual assessment, from kickoff to final report.

Have you ever been surprised by what an assessor flagged during review? Let’s compare stories in the comments.

#PCIDSS #PCICompliance #AuditReadiness #EvidenceCollection #SecurityAudit #GRC #ComplianceChecklist #ControlValidation #InternalAudit #PreAssessment #SecurityDocumentation #PCI401 #CybersecurityCompliance #DocumentationMatters