PCI DSS 6.1.2: Documenting and Assigning Secure Development Roles
Requirement 6.1.2 demands that your organization document, assign, and communicate clear roles and responsibilities for all secure development activities. Without explicit role assignments, development teams operate without accountability, creating security blind spots. This control ensures every team member understands their part in maintaining secure software throughout the development lifecycle.
What this means
This control requires you to create documented role definitions that specify who is responsible for secure coding practices, code reviews, security testing, vulnerability management, and other Requirement 6 activities. These roles must be formally assigned to individuals or teams, and all participants must demonstrate understanding through acknowledgment or training records. The documentation serves as your accountability framework for secure development practices.
How to comply
- 1.Document all roles involved in secure development activities (developers, security architects, code reviewers, QA testers, security champions)
- 2.Create detailed responsibility matrices that map each role to specific Requirement 6 activities and tasks
- 3.Assign documented roles to specific individuals or teams with written confirmation
- 4.Provide role-based secure development training to all assigned personnel
- 5.Require written acknowledgment from each person confirming they understand their assigned responsibilities
- 6.Review and update role assignments annually or when organizational changes occur
- 7.Maintain evidence of role assignments and acknowledgments in your compliance documentation
Evidence auditors look for
- Role definition document detailing responsibilities for each secure development function
- RACI matrix (Responsible, Accountable, Consulted, Informed) mapping roles to Requirement 6 activities
- Signed role assignment letters or employment agreements referencing secure development responsibilities
- Training completion records showing all assigned personnel received role-specific instruction
- Email confirmations or acknowledgment forms signed by employees confirming role understanding
- Organizational chart or staffing plan identifying who holds each secure development role
- Meeting minutes or memos announcing role assignments and changes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates role assignment tracking and generates acknowledgment workflows, automatically reminding team members to confirm their secure development responsibilities and maintaining audit-ready evidence of all role assignments.
See how GRCWatch handles this control automatically
Start free trial