Coming from several large corporations that needed to attest to PCI DSS compliance annually, as well as being a QSA in a few former lives, I’ve seen my fair share of the post-audit slump. You know what I’m talking about; it’s the, “Wow! We completed our audit! Let’s take the next 11 months off to focus on other business needs and we’ll ramp back up during month 11.” Sure, you may not word it exactly like that; but more often than not, that’s exactly what happens.
There are a couple major problems with “taking a break” after an audit. Firstly, in the case of PCI DSS, there are daily requirements to meet: log review being the frontrunner. On more than one occasion I’ve assessed a company several years in a row and usually between the first and second year the company’s had trouble proving they do daily log review – especially if they’re not really setting up alerts around it. The more humorous ones are the SIEM/SOC folks who have a daily digest sent to a folder in their mailbox. I’ll show up on year two and find 300-something unread emails.