Branden Williams has a great posting out on this topic that everyone that is a QSA needs to read. He brings up a number of good points that need to be discussed.
That said, I wanted to take on one of his discussion points and go a bit deeper. And that is the coming requirement that multiple certifications will be required as of July 1, 2016.
“Note: The requirement to possess at least one industry-recognized certification is effective as of January 1, 2016 for new QSA Employees. For QSA Employees qualified and added to the search tool prior to January 1, 2016, this requirement is effective July 1, 2016 (for example, upon annual requalification after June 30, 2016).”
The document lists two types of certifications; “Information Security” and “Audit”. Under Information Security list you have the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM).
Under the Audit list you have the Certified Information Systems Auditor (CISA), GIAC Systems and Network Auditor (GSNA), Certified ISO 27001, Lead Auditor, Internal Auditor, International Register of Certificated Auditors (IRCA), Information Security Management System (ISMS) Auditor, Certified Internal Auditor (CIA). How the Council developed this list of qualified certifications is beyond me as there are some others that I would think should be listed here.
I too face the issue that Branden faces. While I have multiple certifications, I no longer hold the CISA certification that I would need to remain a QSA after June 30, 2016. As a result, I would have to go back and obtain my CISA again after letting it lapse years ago. Why my Certified in Governance of Enterprise Information Technology (CGEIT) would not be acceptable and qualify me I have no idea.
But there is a larger issue here that I think needs to be discussed. Given how the Council has broken these certifications out, one would assume that they are looking to make QSAs better assessors by improving their auditing skills. I am also assuming that they are preparing QSAs for the onslaught of conducting true audits under the coming integration of business as usual (BAU) standards that will be introduced into the PCI DSS v4.
Based on those assumptions, I would argue that only the IRCA and CIA certifications have anything to do with certifying someone as capable of conducting a proper audit in addition to being a CPA. All of the other certifications they specify under the “Audit” category are focused on a particular auditing standard such as CoBIT, ISO 27K or similar and have nothing to do with improving a QSA’s auditing skills or preparing QSAs to become true auditors.
But that brings up an even more interesting question to ponder. Is the PCI SCC going to adopt the AICPA’s Statements on Standards for Attestation Engagements AT-101? This standard is what tells CPAs how to properly conduct audits. AT-101 lays out an extensive list of requirements for conducting an audit from planning, execution, work papers, client representations, report creation, report publication and everything in between.
A number of years ago when I worked at an accounting firm, we were approached by a few clients interested in conducting their PCI assessments to the AT-101 auditing standard. As we investigated what it would take, we and our clients quickly came to the realization that conducting a PCI assessment to AT-101 standards was going to be very costly and time consuming. The reason was that AT-101 has specific and rigorous evidence gathering and sampling requirements that go an exponential level beyond what any QSA does today for a PCI assessment.
With the introduction of BAU into the mix, QSAs are going to have to test compliance with certain requirements over the assessment period. Based on my analysis of v3, I am estimating that there are at least 213 requirements that could have testing over some period of time. As a result, AT-101 auditing standards could easily be applied to those requirements. Such an application would lend much more credence to a PCI assessment and better prove that organizations are complying with the PCI DSS.
Most departments in organizations have never been through an actual audit other than possibly their finance and accounting areas. As a result, the rigor involved with an audit will be a very new and frustrating experience for IT and the other areas involved with PCI compliance. If you think the PCI assessment process is annoying and painful now, wait until you see what you have to look forward to in the future if this is where I would bet the Council is headed.
Regardless, the PCI haters will really have something to complain about if this comes to pass.
My recommendation? Move as quickly as possible to reduce your PCI scope now.