It has been a while since I started my journey into PCI-DSS society. Over the years I have stressed the importance of being open and transparent, especially during the GAP analysis.
GAP analysis as a pre-audit
It is very important for an entity starting its compliance process to perform a GAP analysis towards the standard.
Such an analysis provides a sort of pre-audit to highlight the gaps (therefore GAP analysis) such an entity might have in regards to the PCI-DSS standard.
The GAP analysis is the very first thing to do when starting a compliance process. The Prioritized Approach Tool from the council can be used to keep track of the growing compliance, sometimes however, the Prioritized Approach Tool might be overkill in the hands of a non-QSA individual. This is the reason why I use questionnaires developed in-house. Such questionnaires evaluate the security posture of the entity towards PCI DSS, but most importantly, since an appointed officer of such an entity directly fills them in, they help reduce audit time and therefore cost!
Benefits of performing a GAP analysis
In addition, being open, honest and transparent when answering such questionnaires might help both the QSA and the entity to understand where to focus efforts for achieving compliance.
A GAP analysis also provides an added value in terms of time-to-market; if done at the right time, it can, with reasonable approximation, provide top management with an accurate time-to-market estimation, which in turn can result in allocating needed resources to speed it up.
Never underestimate the initial stages of the process, as the wise Latin used to say:
Dimidium facti, qui coepit, habet
Which in our time is translated as: a good start is half the battle.