PCI DSS 7.1.2: Assign Access Control Roles & Responsibilities
PCI DSS Requirement 7.1.2 requires organizations to formally document, assign, and communicate access control roles and responsibilities to prevent unauthorized system access. Without clear role definitions, your organization risks privilege creep, inadequate oversight, and compliance failures. This control is foundational to demonstrating that access management activities are deliberately managed and understood across your team.
What this means
This control mandates that your organization create documented access control roles that clearly define who is responsible for managing user access, approving access requests, and monitoring system access. Each role must have specific responsibilities assigned to named individuals or teams, and all stakeholders must understand their obligations. Documentation should cover roles for granting access, revoking access, reviewing access, and managing privileged accounts—ensuring no gaps in accountability.
How to comply
- 1.Create a comprehensive access control roles and responsibilities document identifying all roles involved in access management
- 2.Define specific duties for each role, including access provisioning, approval, revocation, and periodic review
- 3.Assign documented roles to specific individuals or teams with formal acknowledgment of their responsibilities
- 4.Communicate role definitions and responsibilities to all relevant personnel through documented training or acknowledgment
- 5.Maintain current documentation and update it whenever organizational changes affect access control responsibilities
- 6.Establish a process for reviewing and validating that assigned roles are actively performing their intended responsibilities
Evidence auditors look for
- Access Control Roles and Responsibilities policy document with defined roles and duties
- Organizational chart or RACI matrix mapping access control responsibilities to personnel
- Role assignment records with dated approvals from management
- Employee acknowledgment forms confirming understanding of assigned access control responsibilities
- Training records demonstrating personnel completion of access control role training
- Periodic reviews confirming assigned individuals are actively fulfilling their documented roles
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates role assignment documentation and tracks responsibility matrices in real time, eliminating manual tracking and ensuring every team member's access control duties are documented, assigned, and current.
See how GRCWatch handles this control automatically
Start free trial