Hi, using the ‘solution’ vs ‘Problem’ model, can account reviews be linked to a compliance item ‘problem’? For example I have a problem in a compliance item stating ‘Regular account reviews are conducted’. Can I link the account review to this Compliance Item Mitigation, similar to a Security Policy or Internal Control?
yes we were asked about this in the past, we could do the same for Awareness Programs or Incident Management or Data Flows … but is honestly a bit of a mess.
In this situations we recommend simply putting a text on the description field in compliance analysis “See Account Review Module”
some day we might be able to create custom fields that link to other modules and then that day everyone will have the freedom to create whatever they believe is best for them. until then u all are our prisoners!!
I’d actually argue that the way it is set up is a bit more logical. In reality, you don’t want to create a single control for every single system that you’re performing an account review for. Your control is that you do account reviews on some basis. Your maintenance activity is to go to the account review module and do the needful, and your audit is to confirm the needful was done correctly.
The way to demonstrate the needful is that because account reviews are associated to an asset (aka, a system), you can set a custom status for assets that meet some criteria need to have a current review or it’ll trigger an alert that the account reviews weren’t done. Then your maintenance activity just turns into watching those alerts…