PCI DSS 12.1.1: Establish and Publish Information Security Policy
Your information security policy is the foundation of PCI DSS compliance. Control 12.1.1 requires you to create, document, and distribute a formal security policy to all relevant personnel, vendors, and partners. Without this baseline control, the rest of your compliance program lacks direction and accountability.
What this means
This control requires organizations to develop a comprehensive information security policy that covers the principles and expectations for protecting cardholder data and system assets. The policy must be formally established, regularly reviewed and updated, published in accessible formats, and actively communicated to everyone with access to systems or data—including employees, contractors, and third-party service providers. The policy serves as the governing document that informs all other security controls and operational practices.
How to comply
- 1.Draft a written information security policy that addresses the organization's security objectives, risk tolerance, and compliance requirements
- 2.Define roles and responsibilities for security management, including executive sponsorship and security personnel accountability
- 3.Document acceptable use standards, password requirements, incident response procedures, and consequences for non-compliance
- 4.Include provisions for third-party and vendor security obligations aligned with PCI DSS requirements
- 5.Establish a review and update cycle (minimum annually) to keep the policy current with business and threat changes
- 6.Obtain executive approval and sign-off from senior management before publication
- 7.Distribute the policy to all relevant personnel and maintain documented evidence of distribution and acknowledgment
- 8.Implement mandatory training or attestation so employees confirm they have read and understand the policy
- 9.Post the policy in accessible locations (intranet, employee handbook, or compliance portal)
Evidence auditors look for
- Formal information security policy document with effective date and version control
- Evidence of executive review and approval (signed cover letter or board minutes)
- Email distribution records showing policy sent to all employees and relevant vendors
- Employee acknowledgment forms or sign-off sheets confirming policy receipt and understanding
- Audit logs or learning management system records documenting mandatory policy training completion
- Annual review and update records demonstrating policy maintenance and refreshes
- Vendor agreements or contracts referencing PCI DSS security policy compliance obligations
- Third-party attestations or acknowledgment letters confirming receipt of the policy
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates policy distribution, tracks employee acknowledgments across your entire organization, and maintains audit-ready records of each version and update cycle—eliminating manual spreadsheets and approval bottlenecks for PCI DSS 12.1.1 evidence.
See how GRCWatch handles this control automatically
Start free trial