PCI DSS 11.1.1: Document Security Testing Policies
PCI DSS 11.1.1 requires your organization to maintain documented security policies and procedures for all security testing activities. These policies must be kept current, actively enforced, and understood by every team member responsible for security testing—a foundation for effective penetration testing and vulnerability management across your payment card environment.
What this means
This control mandates that your organization creates, maintains, and distributes formal documentation covering all security testing policies and procedures required by PCI DSS Requirement 11. Your policies must accurately reflect current practices, be regularly reviewed and updated, and be accessible and understood by all personnel involved in security testing activities. This ensures consistency, accountability, and knowledge across your organization's testing efforts.
How to comply
- 1.Create comprehensive security testing policies that cover penetration testing, vulnerability scanning, and all other testing methodologies required under Requirement 11
- 2.Document testing scope, frequency, objectives, methodologies, and roles and responsibilities for all security testing activities
- 3.Establish a policy review and update schedule to ensure documentation remains current with evolving threats and regulatory expectations
- 4.Distribute policies to all affected parties and maintain proof of acknowledgment from testing personnel
- 5.Integrate security testing policies into your broader information security documentation framework
- 6.Define escalation procedures and remediation requirements for identified vulnerabilities discovered during testing
Evidence auditors look for
- Documented security testing policy statement signed by management
- Penetration testing procedures and scope definitions
- Vulnerability scanning policies including tools, frequency, and coverage requirements
- Policy distribution records showing staff access and acknowledgment
- Policy review and update logs with dates and changes made
- Version control documentation for all security testing procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks your security testing policy versions, maintains distribution records, and generates acknowledgment reports—eliminating manual tracking and proving policy compliance to auditors in seconds.
See how GRCWatch handles this control automatically
Start free trial