Most people fail to realize that audits can and should be a productive experience that not only helps an organization learn what it needs to do better, but also provides some perspective on best practices and other techniques that can improve the information security posture of an organization. The auditor sees far more than you do, so this person should be treated as a resource.
I would encourage my auditor to use his or her subjective opinion of my environment to help me improve my security. And given the wide-ranging nature of different technology environments, it's not possible to define regulations tightly enough to remove subjectivity.
If we are talking about PCI DSS specifically, let's take its first requirement -- "Install and maintain a firewall configuration to protect data." How is that anything but subjective? The auditor will ultimately be the one who defines what an acceptable firewall configuration should be. PCI DSS's third requirement -- "Protect stored data," is similarly nebulous. As you dig into the details of each requirement, there are more specifics detailing what each requirement means, but there is wiggle room -- there always is.
So the bottom line is that an audit, even a PCI DSS audit, is going to be partially subjective. Keep that in mind as you gather you data and go through your audit.
For more information:
This was first published in July 2007