Guest user Created: Oct 27, 2017 Last commented: Oct 27, 2017

Non conformity identification

In an audit I have found, within the Active Directory, a group of users called USUARIOSADM, made up of people with different responsibilities (Managers, Proyect Managers, Analyst) and all of them have permissions of administration in development servers and test servers. I think there is no correct segregation of tasks, nor of environments. Am I right?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Oct 27, 2017

Answer: To support your assumption that there is no correct segregation of tasks or of environments, you have to identify a policy or procedure which defines the rules for access control, and then evaluate if the situation is complaint or not with the established rules.

If the situation is not compliant with the established rules you can declare a non conformity.

If there is no policy or procedure available, you should look for the risk assessment results and applicable legal requirements (e.g., laws and contractual clauses), and then evaluate if the situation is complaint or not with them. If the situation is not compliant with the risk assessment results or legal requirements you can decl are a non conformity.

This article will provide you further explanation about corrective actions:
- Practical use of corrective actions for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2013/12/09/practical-use-of-corrective-actions-for-iso-27001-and-iso-22301/

These materials will also help you regarding corrective actions:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Oct 27, 2017

Expert Advice Community