Non conformity identification
Assign topic to the user
Answer: To support your assumption that there is no correct segregation of tasks or of environments, you have to identify a policy or procedure which defines the rules for access control, and then evaluate if the situation is complaint or not with the established rules.
If the situation is not compliant with the established rules you can declare a non conformity.
If there is no policy or procedure available, you should look for the risk assessment results and applicable legal requirements (e.g., laws and contractual clauses), and then evaluate if the situation is complaint or not with them. If the situation is not compliant with the risk assessment results or legal requirements you can decl are a non conformity.
This article will provide you further explanation about corrective actions:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/
These materials will also help you regarding corrective actions:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Oct 27, 2017