- My View
For the fellows who has worked on IT GRC and now is working on GRC Istanbul would have witnessed some un-digestive process flow.
IT GRC - Earlier we had that once the Control Test fail a remediation was created and the Control was set to Non Compliant. Which was logical as in if the org wanted to make the control compliant it can only be done once the Control was again executed and the CTI would get compliant as previously the issue was remediated in the remediation.
GRC Istanbul- The flow goes like below
Control > Indicator > Indicator Task
if indicator task pass then the Controls are effective
if(indicator task fails) then the issue is generated. And time being the Control is Non Effective. But the sooner the Issue is Closed Complete the Control gets Effective.
If this happens then in an Audit or compliance check all the control will always be effective even if they hold issue record in it. 100% Compliance. Is a myth.
So is this the bug or is it the way how compliance works.
- Anurag Tiwari
Make use of Like/Helpful buttons :)