PCI DSS QSA requalification exam– The Outsourced DPO

The Outsourced DPO has taken one or two exams over the years and last week had to sit the PCI DSS QSA requalification exam: an annual requirement. This is one of the features of the DSS that is class-leading – the requirement to undertake at least 300 CPD hours every 3 years and to sit an annual exam in order to remain a “licensed” QSA.

It is certainly the case that assessors have differing strengths and weaknesses: the certification program does not lead to a homogenous pool of QSAs.  Take the three QSA’s at Data Protection People for example: one is a published author in the field of secure internet security solutions; another has extensive experience of securing classified government and military communications; and the third has extensive experience of data protection compliance management and designing and building database systems in the cloud.  All three are certified as QSAs and as a team provide a breadth of perspectives.

There are several training programs in the UK leading to the award of a certificate in data protection law and compliance management but what are they like and how do they compare?  Is the PDP certified practitioner program equivalent to the ITGov certificate, the CIPP/E, or the excellent program provided by Griffin House?  This very question arose on a recent lunchtime videocast.  It caused much debate and a feeling that it would be beneficial for there to be a single, properly established, nationally recognised certification scheme in the UK that contained features such as those required in the PCI DSS QSA scheme: a structured training program, CPD requirement and requalification exam.

The Outsourced DPO was delighted to pass the QSA requalification exam and so, for another year, is also an Outsourced QSA!