Ankos
Guides

The QSA review workflow

How a QSA reviews your cycle inside Ankos — invite them as a reviewer, submit signed-off entries, and work the In Place / Returned-for-revision loop entry by entry, with a full decision trail.

The CLI and the ledger get your evidence ready. This guide is the other half: how your QSA actually reviews it — entry by entry, with a clear back-and-forth — and how the result flows back to your team.

Ankos organizes the evidence and records the assessor's decisions. The compliance determination is your QSA's — Ankos never issues one of its own.

Two ways to involve your QSA

In-app reviewer (this guide)Share link
How they workReview entries inside Ankos, entry by entryDownload the evidence package from a link
Back-and-forthPer-entry: In Place / Return for revisionNone — it's a one-way handoff
LoginInvited as a QSA reviewerNo login; the link is the credential
Best forA collaborative review cycleHanding a finished package to an external assessor

The rest of this guide covers the in-app reviewer flow. For the download/share model, see Share with QSA.

1. Invite your QSA

A QSA joins by invitation with the QSA reviewer role. Reviewers see only the review workspace — never your team's editing surfaces — and the role is invite-only (you can't promote a teammate into it by accident). See Team and roles.

2. Prepare and sign off

An entry is only ready for review once a reviewer on your side has looked at the evidence and signed it off — the readiness gate, independent of how the evidence arrived. Run the pre-flight check first to catch gaps (missing narrative, note-less overrides) before the QSA ever sees them. See Sign-off.

3. Submit for QSA review

Signed-off entries don't reach the QSA automatically — you Submit for QSA review (one entry, or in bulk). Submitted entries land in the QSA's queue as Awaiting review. Your dashboard surfaces "Signed off — not yet sent to QSA" so nothing stalls in between.

4. The QSA works the queue

In their workspace the QSA walks the queue and gives each entry an outcome:

  • In Place — the evidence supports the requirement.
  • In Place with Remediation — accepted, with follow-up work noted.
  • In Place with Compensating Control — accepted via an alternative control.
  • Return for revision — sent back with a required comment explaining what to fix.

The queue is filtered by Awaiting review, Returned for revision, In Place, and All submitted, so the QSA always knows what's left.

5. You see the outcome

Each decision flows straight back to your side:

  • An accepted entry shows as Accepted (with "· Remediation" or "· Comp. Control" when the QSA attached follow-up). Same decision, two words: the QSA surface uses the assessor's term In Place; your surfaces say Accepted.
  • A returned entry shows as Needs Revision and auto-regresses — its sign-off is revoked and it moves back to needs attention, so it can't be mistaken for done. You're notified with the QSA's comment.

6. Address, re-submit, and revise in place

Returned an entry? Fix it, add to the narrative, re-sign, and re-submit — it re-enters the queue with your changes.

A QSA can also re-open an entry they already marked In Place — to refine the outcome (say, add a remediation note) or return it after all — without waiting for you to re-submit. Every decision is appended to the entry's decision history and the cycle audit trail, so the trail shows exactly what changed, when, and by whom.

Tracking the review, not the score

The ledger tracks cycle progress — how far the review workflow has advanced (signed off → submitted → reviewed → accepted). That's a different number from the CLI's PCI Score, which is a point-in-time read on your evidence. Don't read one as the other — see From scan to audit-ready.

Next steps

Sign-off

The readiness gate every entry passes before review.

Share with QSA

The download/share model for an external assessor.

Team and roles

Invite a QSA reviewer; who can see and do what.

Carry-forward

Reuse accepted evidence in the next cycle.

From scan to audit-ready

The end-to-end Ankos CLI workflow — discover your AWS estate, collect evidence, see where you stand, close the gaps, and hand an integrity-verified package to your QSA. Free, local, and read-only.

Catch PCI drift in CI/CD

Wire the Ankos CLI into your pipeline so a new public bucket, a disabled trail, or an over-permissive role surfaces within a day — not at your next QSA assessment. Free, read-only, QSA-safe output.

On this page

Two ways to involve your QSA1. Invite your QSA2. Prepare and sign off3. Submit for QSA review4. The QSA works the queue5. You see the outcome6. Address, re-submit, and revise in placeTracking the review, not the scoreNext steps