u/InternationalPath658

Recently took on broader compliance scope at my company. Pulled the most recent PCI AOC out of the file and started cross-walking it against the actual environment. The person who filed it in the past couple years was non-technical, did it as a check-the-box self-attestation, and as far as I can tell never actually validated any of the controls. Now that they are long gone it is my problem. How do I correct this and where do I even start. We are just looking at L2 for now