PCI Requirement 12.1 is critical to any organization handling cardholder data. It requires that you establish, publish, maintain, and implement an information security policy. This policy must address information security for all personnel and be reviewed annually (or after any significant changes). This policy is the document that will govern the design and implementation of your security measures. Under the Shared Responsibility Model, it is the customer’s responsibility to maintain an information security policy that sets the organization’s security tone and protects the cardholder data environment.

One of the things I have always been curious about in respect to the PCI Data Security Standard is why they made the information security policy the last requirement. You have to have a good framework telling you what to do so you can go do it. The PCI DSS requires you to establish, maintain, and publish a policy that is clear, concise, and creates a roadmap for designing the security measures around your systems and implementing those. It must include the roles involved – job descriptions, who has access to what, and what do they do. The policy can allude to the actual tools that are used, maybe in standards or in the policy. Having a policy, however, is so important. PCI Requirement 12.1.1 is the requirement for the annual review. What good is a policy if you create it once and it is never looked at it again? By making the review a requirement, it ensures that at least annually, the key stakeholders in the PCI DSS compliance efforts will look at policy documentation, make any changes, and go through the approval cycle. If they are consistent, current, relevant, and up to date, then you have a match for being in compliance with PCI Requirement 12.1.