GRCWatch
Sign inStart free trial

PCI DSS 1.2.5: Document Business Need for Allowed Services

PCI DSS 1.2.5 requires you to maintain documented approval and business justification for every service, protocol, and port allowed on your network. Without clear documentation linking each enabled service to a legitimate business function, you risk audit findings and security vulnerabilities. This control ensures your network only supports intentional, approved connectivity—closing gaps attackers exploit.

What this means

This control mandates that your organization maintain a complete inventory of all allowed services, protocols, and ports across your network. Each entry must include documented evidence of business need and explicit approval from authorized personnel. This prevents unauthorized services from running undetected and ensures every network connection supports a defined business function.

How to comply

  1. 1.Create and maintain a comprehensive inventory of all services, protocols, and ports deployed across your network infrastructure
  2. 2.Document the specific business purpose for each allowed service—connect it to a named business function or operational requirement
  3. 3.Obtain written approval from appropriate management or security personnel before enabling any new service, protocol, or port
  4. 4.Establish a formal change control process that requires business justification and approval before any network service modifications
  5. 5.Review and update your service inventory and approvals at least annually or when network changes occur
  6. 6.Disable or remove any services, protocols, or ports that lack documented business need or current approval
  7. 7.Maintain records of all approvals and business justifications in a centralized repository for audit verification

Evidence auditors look for

  • Network inventory spreadsheet listing all allowed services with corresponding business justification and approval date
  • Change control forms documenting approval for new services prior to deployment
  • Service exception log showing disabled services and the reason (lack of business need) for removal
  • Documented business requirements linking network services to operational functions (e.g., 'HTTPS required for customer portal')
  • Approval records signed by authorized personnel authorizing specific ports and protocols
  • Annual service inventory review and re-approval documentation
  • Network configuration documentation showing only approved services enabled

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates service inventory tracking and approval workflows, letting you document business justification once and maintain audit-ready evidence without manual spreadsheet management.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 1.2.1 — Restrict Inbound/Outbound TrafficPCI DSS 1.2.2 — Restrict Outbound Internet TrafficPCI DSS 1.2.3 — Prohibit Direct Public AccessPCI DSS 1.2.4 — Document and Approve Network Diagram