Adapting to specific goals and needs

Adapting to specific goals and needs

The approach gives flexibility as you can adapt the goal decomposition to your specific needs. NOR-STA data model captures relations between goals, sub-goals, requirements and evidence, and provides basis to calculate the overall conformance assessment.

 

goal-based conformance model

You can manage the structure of the relations and arrange the sub-goals and requirements relevant for your goals. The data structure allows you to trace requirements and evidence related to a specific goal and for each goal you can identify the supporting evidence.

All the conformance information is traceable, verifiable and auditable. In case you find any nonconformances the corresponding elements can be marked as unaccepted (red color like in the screenshot presented on the right) and you may decide how to correct the situation. The possible solutions may be:

  • provide new (corrected) evidence,
  • change the goal decomposition (implementation strategy),
  • change the scope or the context of the conformance goal.

Further review of the requirements and evidence, and sometimes also the implementation strategy, is required to achieve acceptance of the compliance goal.

When you develop or adapt the conformance model you should keep your implementation strategies simple and accurate. You should make a review to verify each strategy as wrong strategies lead to incorrect and incomplete requirements. When the strategies are incorrect you may have the illusion of achieving a goal while in reality not achieving it at all. Therefore it is so important to dispute the strategies and make sure they are valid. Any time you find a strategy invalid, incomplete or obscure you should first change its evaluation to negative (nonconformance) and then correct it and also other elements when necessary.

conformance strategy justification

There are the six main questions to be asked for each strategy:
Is it adequate for a given goal? Does it really leads to achieving this specific goal?

  • Is it unambiguous? Are there different interpretations of the strategy, in particular from the point of view of other users?
  • Is it verified? Are there any evidence that this strategy is effective and produces the assumed output?
  • Is it complete? Are all the sub-goals and requirements listed for the full scope of conditions, variants and situations?
  • Is it efficient? Are all the required measures necessary? There are no requirements for evidence or work that is unnecessary?
  • Is it reliable and free from flaws? Are there any known and not mitigated flaws or defects of the strategy?

When you analyze strategy for goal number 2 in the sample checklist for backups (discussed in section 2) you may ask question if it covers confidentiality of the backup storage. You will find it does not. When you consider that this is important to achieve the given goal you should immediately mark the strategy as incorrect and start the correction process. The strategy can be evaluated as correct after a review when you are sure the strategy and the related set of requirements are correct and adequate for the given conformance goal.

Free NOR-STA DEMO project
for a selected standard

ISO 27001
self-assessment

Contact us to arrange
online NOR-STA presentation