Option A - Basic
Basic design where each policy is linked to specific internal controls. Each internal control has specific evidence. This is a 1:1 mapping of Internal Control for an asset with 1 or more pieces of evidence you're collecting for the same asset.
Example is:
Control: Management provides quarterly user access reviews for Active Directory.
Evidence: Quarterly user access review for Active Directory
Pro:
- Controls are written exactly to your auditor's documentation (i.e. SOC2 Type 2, SOX, etc). You can upload specific Evidence your auditors are requesting and meet the needs.
- System will automatically launch evidence collection
- Dashboard to track the compliance
Con:
- More Internal Control records
Who is this model good for?
- If you're just starting your program and you have 1 or 2 compliance programs, you can do this with minimal impact.
- Speed of the setup process. You just simply import what the auditor gives you.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article