PCI DSS 7.1.1: Documenting Access Control Policies & Procedures
Access control policies form the foundation of PCI DSS Requirement 7 compliance. Control 7.1.1 requires organizations to document all security policies and procedures for access management, keep them current, enforce them consistently, and ensure all affected staff understand their responsibilities. Without documented policies, you cannot demonstrate control over who accesses sensitive cardholder data.
What this means
This control mandates that your organization creates formal, written documentation covering all security policies and procedures related to access control (Requirement 7). These policies must be actively maintained, regularly updated to reflect current business practices and threats, actively used within your organization, and communicated to everyone who needs to follow them. Documentation serves as both your compliance blueprint and operational guide for enforcing least-privilege access principles.
How to comply
- 1.Create formal written policies covering all Requirement 7 access control procedures including user access provisioning, modification, and deprovisioning
- 2.Document procedures for granting, revoking, and reviewing user access rights to systems and cardholder data
- 3.Establish clear ownership and approval workflows for access requests and changes
- 4.Define roles and responsibilities for who administers access controls and who approves changes
- 5.Schedule regular policy review and update cycles (at minimum annually) to reflect operational changes
- 6.Distribute policies to all affected employees, contractors, and third parties with documented acknowledgment of receipt
- 7.Include policy version control, effective dates, and revision history in all documentation
- 8.Embed policy compliance requirements into onboarding and training programs for all staff
- 9.Establish a process for monitoring policy adherence and addressing violations
Evidence auditors look for
- Documented access control policy with version number, effective date, and last review date
- Written procedures for user provisioning including approval requirements and timeline
- Deprovisioning procedures documenting system access removal upon termination or role change
- Access review and recertification procedures with defined frequency and approval process
- Employee acknowledgment forms signed by staff confirming they received and understood access policies
- Training records demonstrating staff completion of access control policy training
- Change request documentation showing access modifications were made according to documented procedures
- Policy distribution logs or attendance records from policy communication sessions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch centralizes all your access control policy documentation, tracks version history, automates policy distribution and acknowledgment collection, and maintains audit trails of who reviewed each policy—eliminating scattered documents and proving "known to all affected parties" in seconds.
See how GRCWatch handles this control automatically
Start free trial