Under theCustomized Approach, assessors are responsible forderiving and documenting the testing proceduresinAppendix E of the Report on Compliance (ROC). The assessor must ensure the controlmeets the requirement objectiveand validate it throughcustom testing.
Option A:❌Incorrect. Ongoing monitoring is the entity’s responsibility, not the assessor’s.
Option B:✅Correct. The assessor must derive anddocument testingin Appendix E.
Option C:❌Incorrect. The entity documents control details; the assessor documents test results.
Option D:❌Incorrect. Theentitymust perform the targeted risk analysis, not the assessor.
[Reference:PCI DSS v4.0.1 – Appendix D (Customized Approach) and Appendix E (ROC Template)., , , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit