The QSA assessment fieldwork is the point in the compliance program where preparation pays off — or fails to. Organizations that arrive at fieldwork with well-organized evidence, prepared personnel, and a clear scope narrative move through assessment efficiently. Organizations that treat the assessment start date as the moment to begin gathering evidence face delays, additional evidence requests, and potential assessment failures.
The 90-Day Pre-Assessment Timeline
| T-90 days | Internal Readiness Assessment | Conduct full internal gap review against all in-scope requirements; identify and remediate remaining gaps |
| T-75 days | Evidence Organization | Organize all evidence in a structured repository; complete final recurring evidence collection (access reviews, scan reports) |
| T-60 days | QSA Kickoff Meeting | Agree on scope, sampling approach, evidence request format, and assessment timeline with the QSA |
| T-45 days | Pre-Assessment Evidence Submission | Submit initial evidence package to QSA — policies, procedures, network diagrams, system inventory |
| T-30 days | Staff Interview Preparation | Brief all personnel who will be interviewed by the QSA on their roles, controls they manage, and evidence they maintain |
| T-14 days | Final Evidence Review | Confirm all evidence is current, complete, and organized; resolve any gaps identified in QSA pre-assessment review |
| T-0 | QSA Fieldwork Begins | Assessment coordinator available full-time; all evidence accessible; subject matter experts scheduled for interviews |
The Internal Readiness Assessment
The internal readiness assessment is a dry run of the QSA assessment — conducted by your internal team or a consulting partner (not the QSA who will conduct the final assessment). It applies the same testing procedures the QSA will use to identify remaining gaps before fieldwork begins.
| KEY IDEA | The internal readiness assessment is the single most valuable pre-assessment investment. A well-executed readiness assessment will identify 80–90% of the gaps that a QSA would find — giving you time to remediate before the formal assessment. Organizations that skip the readiness assessment and go directly to QSA fieldwork almost always face costly remediation delays mid-assessment. |
Evidence Organization
Evidence Repository Structure
Organize evidence by requirement number. A typical structure:
- Req 1 — Network Security: Firewall configurations, network diagrams, rule review records
- Req 2 — Secure Configurations: Hardening standards documents, configuration screenshots, baseline comparison results
- Req 3 — Data Protection: Encryption algorithm documentation, key management policies, data discovery results
- Req 4 — Data in Transit: TLS scan results, certificate inventory, transmission encryption documentation
- Req 5-6 — Vulnerability Management: Anti-malware configs, patch records, code review evidence, WAF logs
- Req 7-8 — Access Control: User access lists, provisioning records, access review completions, MFA configuration
- Req 9 — Physical Security: Access logs, visitor records, POI inspection records, media destruction certificates
- Req 10 — Logging: SIEM configuration, daily review records, log retention policy, log samples
- Req 11 — Testing: ASV scan reports (4 quarters), internal scan reports, penetration test report, segmentation test
- Req 12 — Policies: All policy documents with approval dates, TRA documentation, vendor AoCs, IRP, training records
Evidence Naming Conventions
Use consistent naming: [Requirement]-[Sub-requirement]-[Control description]-[Date].ext. For example: 08.4.2-MFA-Configuration-Screenshot-2026-03-15.png. This makes evidence immediately locatable during QSA evidence requests.
Preparing Personnel for QSA Interviews
QSAs will interview key personnel across IT, security, operations, and management. Common interview subjects: system administrators (requirements 1, 2, 10, 11), security personnel (requirements 5, 6, 11), database administrators (requirement 3), application developers (requirement 6), HR and compliance (requirement 12), and senior management (requirements 12.1, 12.3).
The most important preparation for QSA interviews is not scripting answers — it is ensuring people know their own controls. Staff should understand: which systems they manage, what security configurations are in place on those systems, how they are alerted to security issues, and what procedure they follow when something goes wrong. QSAs notice when answers sound rehearsed but the person clearly does not understand their own environment.
Common Pre-Assessment Gaps Found Too Late
| Gap | Where It Is Usually Found | Remediation Lead Time |
|---|---|---|
| Missing ASV scan quarters | Quarterly scan history review | 3 months to obtain 4 passing quarters — cannot be accelerated |
| Penetration test not annual | Testing schedule review | Must schedule and complete pen test; typically 2–6 weeks |
| Access review records missing | Evidence repository audit | Cannot be recreated retroactively — process gap that persists |
| Policy approved but not communicated | Policy review and HR training records | Training roll-out: 2–4 weeks |
| Vendor AoCs not collected | Vendor management evidence review | 2–4 weeks to collect from all relevant vendors |
| TRA documents missing | Requirement 12.3.2 evidence check | 1–2 weeks to create if organization has the underlying risk information |
| IMPORTANT | The ASV scan gap is the one pre-assessment finding that cannot be fixed quickly. If you discover during your T-90 readiness assessment that you have fewer than 4 passing quarterly external scan reports, you cannot obtain them in 90 days — ASV scans plus remediation plus rescanning takes a full quarter. This is why the scoping and gap assessment must happen well before the 90-day window. |
| Bitlion's pre-assessment preparation engagements have found that evidence organization — not control implementation — is the primary bottleneck in 60% of first-time assessments. Organizations have the controls; they cannot find the evidence. Building an organized evidence repository from the first day of the compliance program, not the week before assessment, is the single most actionable advice we can give. |