The most recent changes to KCM included adding 'Partially Met' as a response for the 'Self-Assessment Response' section of requirements (in Scopes). This is helpful, but it should be able to offer more granularity on the status of requirements. I would love to see this expanded even further to include the following:
Change the 'Self-Assessment Response' from a single item to these 4 items, along with these statuses for each item:
- Policy Defined - No policy, informal policy, partially written policy, written policy, approved written policy
- Control Implemented - Partially implemented, not implemented, mostly implemented, fully implemented
- Control Automated - Partially automated, not automated, mostly automated, fully automated
- Control Reported to Business - Not reported, partially reported, mostly reported, fully reported
This is how it works in a few other tools I have demoed that help you track compliance. Here's an example:
Please sign in to leave a comment.