At our last surveillance audit our assessor raised a non-conformity on the basis that our initial risk assessment, showing many of the risks as being acceptable i.e. scoring less than 3, did not show any justification for why we made that assessment and Conformio doesn’t require that. Our assessment would have been based on the controls etc already in place at that time.
Obviously, you are of the view that when making the initial assessment, it’s not necessary for us to record why we make that assessment. What is the reasoning behind this?