Hi,
any updates to the Asset to Controls documentation?
What is the proper (Eramba’s) way to document compliance gaps associated to a specific asset?
Let’s say I have Asset 1, Asset 2 and Asset 3 that are all subject to a compliance standard (ex.: ISO 27001). A proper link made in Compliance Analysis (Assets). Here is a use case :
Asset 1 has gaps in 6.1 requirement
Asset 2 has gaps in 7.2 requirement
Asset 3 has no gaps (which means that controls are OK)
What are your suggestions? Should it be identified as risks per asset? Policy exceptions? or something else?
Thank you
Gennady