When documenting that a requirement is "In Place," the ROC must clearly describe how compliance was validated by the assessor. This involves detailing the evidence observed, such as system configurations, documentation, and personnel interviews.
ROC Documentation Guidelines:
The ROC Reporting Template specifies that each "In Place" response must include evidence demonstrating compliance with the requirement, such as testing observations and validation of implemented controls.
Eliminating Incorrect Options:
A:Project plans are not sufficient to demonstrate current compliance.
C/D:Responses discussing non-implementation or non-compliance are irrelevant when the requirement is "In Place."
PCI DSS v4.0 ROC Template Guidance:
Appendix sections in the ROC provide specific instructions for assessors to document the testing performed, evidence reviewed, and results.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit