PCI SSC has just released new details regarding the training schedule for the ISA program. The program is obviously PCI SSC’s response to the often heard complaints from merchants and service providers about high costs involved with maintaining PCI DSS compliance. Be sure to read the program validation requirements as well as the FAQs.
Key requirements to note are:
- ISAs have to be on full –time employment with the sponsor companies. Specifically , ISAs will not retain the certification upon termination of employment and so can’t carry the certification to a new employer.
- ISAs need to be recertified annually. The recertification process includes ISA Program training and passing the examination every year.
- ISAs have to be part of a dedicated Internal Audit department.
Important to note is the scope/objective of the ISA program which reads as “to improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls”. It also says that the “ISA qualification does not entitle an ISA to perform special functions or conduct QSA Assessments".
Here is another interesting blog post on this topic.