PCI DSS 1.1.1: Document Network Security Policies
Network security policies are the foundation of PCI DSS compliance—but documentation alone isn't enough. Your policies must be current, actively used, and understood by everyone who implements them. This control ensures your organization has a clear, documented approach to securing cardholder data across your network.
What this means
PCI DSS 1.1.1 requires organizations to formally document all security policies and procedures covering network security (Requirement 1), including firewall configuration standards, access controls, and data flow management. These policies must be kept up to date, actively enforced, and communicated to all personnel responsible for implementing or maintaining them. The intent is to establish a clear written framework that guides network security decisions and provides accountability.
How to comply
- 1.Create comprehensive written policies covering all aspects of Requirement 1 (firewalls, network architecture, cardholder data protection).
- 2.Define who is responsible for each policy and what approval process is required for updates.
- 3.Establish a change management process that documents when policies are reviewed, updated, and by whom.
- 4.Distribute policies to all affected staff and document evidence of receipt and acknowledgment.
- 5.Review and update policies annually or when significant network changes occur.
- 6.Version control all policy documents with dates and revision history.
- 7.Store policies in a centralized, accessible location (wiki, document management system, or shared repository).
Evidence auditors look for
- Written network security policies with issue dates, approval signatures, and version numbers.
- Policy distribution logs showing staff acknowledgment and sign-off dates.
- Change log documenting policy reviews, updates, and effective dates.
- Evidence of annual review and approval (email, meeting notes, audit trail).
- Training records showing staff have reviewed applicable policies.
- Firewall configuration standards aligned with documented policies.
- Access control procedures that reference specific policy sections.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates policy version control, tracks distribution and staff acknowledgments, and triggers annual review reminders—eliminating manual tracking and providing auditors with clear evidence that your policies are documented, current, and known to all relevant staff.
See how GRCWatch handles this control automatically
Start free trial