The PCI Security Standards Council has released details of dates for the anticipated Internal Security Assessor (ISA) courses. The first course will be run in Sydney Australia in May with the next three in the US from June to September and the final listed course in Spain in October. The course itself is a 3-day course and would appear to be a qualification program which would indicate that an exam will be included in the course but is not explicitly stated.

The ISA course has been anticipated because it offers companies an opportunity to use existing internal audit resources to manage their self-assessment PCI DSS validation requirements. This essentially will mean that organisations that can use the self-assessment route to manage their PCI DSS compliance requirements, now have a formal training course that they can avail of to educate internal audit resources.

There are two main steps required to get an internal member of staff ISA qualified. The first is to register as an ISA sponsor company. To be eligible as an ISA sponsor company the organisation must be a 'merchant, processor, service provider or other organization required to comply with the PCI DSS' and must 'process credit, debit or other payment transactions with members of the general public;'. This is straight forward enough; if you process card payments and are required to be PCI DSS compliant then you can apply. The next requirement is a little more stringent 'The organization must have a dedicated internal audit department, group or division'. This requirement would definitely be a challenge for small to medium sized organisations that may not have such a department. It also seems to indicate that an individual will not be sufficient and must be a clearly defined business unit within the organisation. The process to apply as a sponsor company requires that the organisation submit a Sponsor attestation which must be resubmitted on an annual basis within 30 days of the original application date. For organisations that are a PCI SSC participating organisation the initial training fee for each person is $1,495 and for non-participating organisations $2,495 (the annual fee to become a participating organisation is $2,500 per annum). The annual fee for subsequent years for re-certification is the same for both organisations at $995.

The next step is to get a full time internal security audit professional certified as an ISA. The ISA certification is not transferable so an employee at one organisation cannot move to a new organisation and retain their ISA qualification and nor can a certification pass to a new internal ecurity audit professional. This may cause continuity issues for organisations if their ISA certified staff choose to leave the organisation. The ISA certification must also be renewed on an annual basis which requires certified candidates pass an annual exam to remain eligible as an ISA resource within the organisation. In addition to passing the annual examination an ISA must 'engage in sufficient information systems audit training on an annual basis to support applicable continuing professional education requirements, including a minimum of 20 hours of such training per year and 120 hours of such training over the immediately preceding rolling three-year period'. At present it is not entirely clear what information systems audit training may constitute but I would speculate that this will be clarified in time. Lastly a list of recommended experience is given which ideally a suitable ISA candidate would posses. Interestingly one of these recommendations is to have experience in executing security audits similar to QSA audits, perhaps giving a new career path for QSAs out there.

The full pdf containing all of the ISA details is available from the PCI SSC website here.