We have to be 100% compliant with some local regulations. Therefore I of course have made the settings “100%” and strategy as “compliant”
We use the iso27001 as baseline but do not have a ISO certification and therefore not have to be compliant with this standard.
What settings do you recommend in that case ?
Strategy as “compliant” an then the %-settings to 50% or 75%?
What will the difference be? Do they have some functions in reports etc.
Thanks
Regards
@sge The Compliance Efficacy option is a subjective field for establishing your level of compliance with the specified control given the mitigating factors you have implemented. You could take an approach of saying, for each mitigation factor I have implemented, I improve control efficacy by 25%. Example, I have a Change Mangement control and I have implemented a Policy, supporting standards and procedures, I have an internal control for auditing the Change Management process to ensure it’s being followed and the control has established audit criteria for assessing its efficiency.
Hi Matthew. Thanks for your reply. I like your methode. But I miss some way to see the gab between the "Current Compliance Status (Your desired compliance goal) If you choose “Compliant” there it could be nice to se in reports were you only have 50% of Compliance efficacy (maybe because you miss some controls). How are you review the gabs when you cant see it in some reports? or maybe you have a trick to show it. otherwise it seems like the reports shows that you are 100% compliant and in fact you are only 50% compliant. I look forward to your reply 
@sge You can create a custom filter to show Compliance Efficacy under 100% and then create a custom dashboard widget using this saved filter.
2 Likes
Thats an good idea. I will think about doing it the same way. Maybe we need som kind of “Compliance package item review” function once a year to look at the Compliace efficacy if it has to go up or down.