When you have a level 3 Requirement statement, can the level 1 and level 2 requirement statement for that same control be removed from the assessment? This would remove redundancy, by not having to ask the business for evidence at each level because it would be inclusive in the level 3. This would also lower the number of overall baselines while still covering the control.9 votes
Great suggestion. This is actually on the slate to be addressed in v10 of the CSF.
Specifically enumerate all required policy statements and items for each requirement at the policy and procedure level as a checklist. Hiding specific requirements inside the repetitive narrative of the illustrative procedures makes it extremely difficult to parse-out what is required in policy and procedure documentation. While you're at it, remove the repetitive language all together since it's obvious for each control that "ad hoc or well understood blah blah" is already partially acceptable by your rubric and focus on giving more examples of acceptable language or implementations or links to relevant information.6 votes
Great suggestions, this will be included in v10. Thanks.
Unlock Doc Repository when any Task are created during QA1 vote
Please allow for a column option for the Illustrative Procedures Report. Much like the Assessment Report (Column).2 votes
- Don't see your idea?