Inverifi logo

What are the different types of audit findings?

From Observations to Non-conformities: exploring the different types of ISO audit results.

A key part of successfully maintaining and implementing ISO 27001 is the regular conduction of audits.

 

As part of this, it is also important to have a clear understanding of your organisation’s ISO audit results.

 

The outcome of an ISO audit is not presented as a percentage or a score.

 

Instead, the results of ISO audits are referred to as findings.

What are the different types of audit findings?

Audit findings can either be:

 

  • Observations/Opportunities for improvement
  • Non-conformances* (further classified into major and minor non-conformance)

 

*Non-conformances and non-conformities are typically used interchangeably, both referring to the same thing.

Observations/Opportunities for improvement

Observations found by the auditor are areas that whilst within compliance, are also dangerously close to being a non-conformance.

 

These are suggestions of areas that need attention, as to prevent possible future non-conformances.

 

Observations and Opportunities for improvement can be greatly helpful when implementing both corrective and preventive action.

Non-conformances

Non-conformances are raised by the auditor if the requirements of the ISO standard are not being properly adhered to.

 

All non-conformances need to be addressed through corrective actions, no matter if major or minor.

Minor non-conformances

A minor non-conformance can be defined as an instance where non compliance does not affect the overall effectiveness of an information security management system, or the organisation’s ability to achieve its information security goals.

 

Simply, minor-conformities are found when a system or requirement has evidently been implemented correctly for the most part, but with apparent minor lapses in the quality management system.

Major non-conformances

If the auditor finds that an organisation does not comply with its own policies, procedures and guidelines, they will raise a major non-conformity.

 

Major non-conformances are typically found when there is a significant breakdown in the organisation’s quality management system,  blocking it from meeting its ISO requirements.

What can I do with non-conformances?

On the occasion that the auditor raises any non-conformances during the audit, this will prevent your organisation from achieving or maintaining its ISO certificate until this is corrected.

 

However, the auditor will also describe the non-conformity in detail, provide evidence of the problem, reference the clause of the requirement that is not being addressed and summarise what should be done to rectify the non-conformity and meet the stated requirement.

 

This will give you plenty of opportunity to implement corrective actions and review their effectiveness.

Follow us on Linkedin and Twitter to stay up to date with all our product news.

 

If you’d like to chat about your organisation’s compliance needs or book a demo – we’re here to help.

More blogs you might like

Want to learn more?

Or get in touch...