PCI DSS 6.1.1: Documenting Secure Development Policies
PCI DSS 6.1.1 requires that all security policies and procedures under Requirement 6 are formally documented, maintained, actively used, and communicated to everyone involved in development and system changes. This foundational control ensures your organization has a documented baseline for secure coding and development practices that prevents vulnerabilities before they reach production.
What this means
This control mandates that your organization create and maintain comprehensive documentation of all security policies and procedures related to secure development (Requirement 6). These policies must be current, actively implemented across your development lifecycle, and clearly communicated to all personnel involved in software development, system changes, and code deployment. The documentation serves as your compliance evidence and operational reference for building secure systems.
How to comply
- 1.Create written security policies covering all aspects of Requirement 6 (secure development practices, code review, testing, change management)
- 2.Document procedures for secure development including coding standards, security testing requirements, and vulnerability management
- 3.Establish a process to regularly review and update policies to reflect current threats, technologies, and business changes
- 4.Distribute policies to all affected personnel including developers, QA teams, system administrators, and security staff
- 5.Document acknowledgment that personnel have read and understood the policies
- 6.Implement controls to ensure policies are actually followed during development and deployment workflows
- 7.Maintain evidence of policy distribution and staff training completion
Evidence auditors look for
- Dated, signed secure development policy documents
- Code review and testing procedure documentation
- Change management process documentation
- Secure coding standards and guidelines
- Staff acknowledgment forms or training records showing policy communication
- Version control history showing policy updates and review dates
- Security testing requirements and procedures
- Vulnerability management and remediation procedures
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates secure development policy documentation and tracks acknowledgment from all affected personnel, eliminating manual spreadsheet tracking and ensuring your policies remain current and accessible.
See how GRCWatch handles this control automatically
Start free trial