A key part of successfully maintaining and implementing ISO 27001 is the regular conduction of audits.
As part of this, it is also important to have a clear understanding of your organisation’s ISO audit results.
The outcome of an ISO audit is not presented as a percentage or a score.
Instead, the results of ISO audits are referred to as findings.
Audit findings can either be:
*Non-conformances and non-conformities are typically used interchangeably, both referring to the same thing.
Observations found by the auditor are areas that whilst within compliance, are also dangerously close to being a non-conformance.
These are suggestions of areas that need attention, as to prevent possible future non-conformances.
Observations and Opportunities for improvement can be greatly helpful when implementing both corrective and preventive action.
Non-conformances are raised by the auditor if the requirements of the ISO standard are not being properly adhered to.
All non-conformances need to be addressed through corrective actions, no matter if major or minor.
A minor non-conformance can be defined as an instance where non compliance does not affect the overall effectiveness of an information security management system, or the organisation’s ability to achieve its information security goals.
Simply, minor-conformities are found when a system or requirement has evidently been implemented correctly for the most part, but with apparent minor lapses in the quality management system.
If the auditor finds that an organisation does not comply with its own policies, procedures and guidelines, they will raise a major non-conformity.
Major non-conformances are typically found when there is a significant breakdown in the organisation’s quality management system, blocking it from meeting its ISO requirements.
On the occasion that the auditor raises any non-conformances during the audit, this will prevent your organisation from achieving or maintaining its ISO certificate until this is corrected.
However, the auditor will also describe the non-conformity in detail, provide evidence of the problem, reference the clause of the requirement that is not being addressed and summarise what should be done to rectify the non-conformity and meet the stated requirement.
This will give you plenty of opportunity to implement corrective actions and review their effectiveness.