Removing the lower level nested Requirement Statements from an assessment
When you have a level 3 Requirement statement, can the level 1 and level 2 requirement statement for that same control be removed from the assessment? This would remove redundancy, by not having to ask the business for evidence at each level because it would be inclusive in the level 3. This would also lower the number of overall baselines while still covering the control.
Brian Scheuber commented
Agree that higher level requirements should be assumed to include the expectations of lower level requirements. So eliminating the redundancy would be a time saver while still addressing the expected levels of compliance.