Step 7 – CCSSA-PR reviews Audit Documentation, provides feedback to CCSSA
The copy of the audit report will need to be redacted of all personal identifiable information (PII) of the assessed entities personnel involved in the audit. Also, all sensitive information about the assessed entity must be redacted including:
- Filenames of evidence artifacts collected and reviewed during the audit.
- Any diagrams, pictures and screen captures.
- Any other information within the audit report the CCSSA believes is sensitive and could impact the security of the assessed entities environment if the copy of the audit report is accessed by unauthorized users.
The CCSSA must make the redacted copy of the audit report available to the assessed entity prior to being sent to the CCSSA-PR so the assessed entity can check if all sensitive information has been redacted.
Once the assessed entity has approved in writing the release of the redacted audit report for peer review, the CCSSA will make the redacted audit report available to the CCSSA-PR. It is important to note that the CCSSA-PR is not peer reviewing the audits evidence. The CCSSA-PR is reviewing the evidence gathering techniques the CCSSA applied during the audit so that the CCSSA-PR can have assurance that enough evidence gathering techniques were applied for the CCSSA to reach an opinion for each requirement. The CCSS auditors guide has a section on recommended evidence gathering techniques. I have also written in detail regarding the recommended evidence gathering techniques.
The C4 peer review process for a CCSS audit may sound different to the standard audit peer review process and it is. However, as we noted before, C4 requires that the CCSSA-PR is independent of the CCSSA. This means that the two auditors will more than likely have different audit training and audit methodologies which could clash if the CCSSA-PR has to peer review the evidence. Further, the CCSSA-PR would not have signed an NDA with the assessed entity to see the evidence collected.
C4 does offer a mediation and disputes process for the CCSSA and CCSSA-PR if issues do arise.
Once the CCSSA-PR has confirmed in writing that the CCSSA conducted sufficient evidence gathering techniques in order to form the opinions presented, the CCSSA will move to the next step in the certification process. I wrote a detailed article on the peer review process.
An important note I would like to make is that the CCSS audit is not a “checkbox” audit. The CCSSA is required by C4 to conduct a rigorous audit of the people, process and technology components of the in-scope environment. If the reader is aware of how a PCI DSS audit is conducted then the CCSSA audit follows the same level of rigour. If the CCSSA does not perform the required level of audit rigor then the audit report will fail the peer review process.