GRCWatch
Sign inStart free trial

PCI DSS 1.2.9: Review Network Diagrams Annually

Network diagrams are your compliance roadmap—outdated ones hide vulnerabilities and audit failures. PCI DSS 1.2.9 requires you to review and update these diagrams at least once yearly to maintain an accurate picture of your cardholder data environment. This control ensures your security architecture stays current with your actual infrastructure.

What this means

This control mandates that organizations maintain and review network architecture documentation at minimum annually. Network diagrams must accurately reflect your current system layout, data flows, and security perimeters. Any changes to your network topology, systems, or connections must be captured in updated diagrams to maintain compliance and enable effective security monitoring.

How to comply

  1. 1.Schedule an annual network diagram review on your compliance calendar—typically tied to your PCI DSS assessment period.
  2. 2.Map your entire cardholder data environment including all systems, network segments, firewalls, and data flow paths.
  3. 3.Compare existing diagrams against your current infrastructure to identify outdated or missing components.
  4. 4.Document all changes made during the year and update diagrams to reflect new systems, removed equipment, or modified connections.
  5. 5.Include data flow annotations showing where cardholder data enters, travels through, and exits your network.
  6. 6.Obtain approval and sign-off from network and security leadership on the updated diagrams.
  7. 7.Retain previous versions of diagrams and maintain a change log to demonstrate annual review history.

Evidence auditors look for

  • Dated and signed network diagrams updated within the past 12 months
  • Change log documenting infrastructure modifications since the last review
  • Email or meeting notes showing management approval of diagram updates
  • Comparison document (redline) between previous and current diagrams
  • Network topology documentation including firewalls, routers, and segmentation
  • Data flow diagrams showing cardholder data movement through systems
  • Annual review attestation signed by network or IT leadership

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates annual review scheduling and maintains version-controlled diagram repositories with change tracking, so you generate audit-ready compliance evidence without manual documentation workflows.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 1.1.2 — Current Network Diagram DocumentationPCI DSS 1.2.1 — Firewall Configuration DocumentationPCI DSS 1.2.3 — Prohibition of Direct Connections