A key part of successfully maintaining and implementing ISO 27001 is the regular conduction of audits.
As part of this, it is also important to have a clear understanding of your organisation’s ISO audit results.
The outcome of an ISO audit is not presented as a percentage or a score.
Instead, the results of ISO audits are referred to as findings.
Audit findings can either be:
*Non-conformances and non-conformities are typically used interchangeably, both referring to the same thing.
Observations found by the auditor are areas that whilst within compliance, are also dangerously close to being a non-conformance.
These are suggestions of areas that need attention, as to prevent possible future non-conformances.
Observations and Opportunities for improvement can be greatly helpful when implementing both corrective and preventive action.
Non-conformances are raised by the auditor if the requirements of the ISO standard are not being properly adhered to.
All non-conformances need to be addressed through corrective actions, no matter if major or minor.
A minor non-conformance can be defined as an instance where non compliance does not affect the overall effectiveness of an information security management system, or the organisation’s ability to achieve its information security goals.
Simply, minor-conformities are found when a system or requirement has evidently been implemented correctly for the most part, but with apparent minor lapses in the quality management system.
If the auditor finds that an organisation does not comply with its own policies, procedures and guidelines, they will raise a major non-conformity.
Major non-conformances are typically found when there is a significant breakdown in the organisation’s quality management system, blocking it from meeting its ISO requirements.
On the occasion that the auditor raises any non-conformances during the audit, this will prevent your organisation from achieving or maintaining its ISO certificate until this is corrected.
However, the auditor will also describe the non-conformity in detail, provide evidence of the problem, reference the clause of the requirement that is not being addressed and summarise what should be done to rectify the non-conformity and meet the stated requirement.
This will give you plenty of opportunity to implement corrective actions and review their effectiveness.
Follow us on Linkedin and Twitter to stay up to date with all our product news.
If you’d like to chat about your organisation’s compliance needs or book a demo – we’re here to help.
Streamlining compliance – introducing Inverifi’s new compliance standard templates Introducing Inverifi’s Annex control functionality We’re happy to announce that compliance standards are now live in
ISO 27001 Controls: Developing Secure Apps The importance of privacy and security When you’re developing an application, it is important to consider how it handles
Introducing Diagrams A new way to visualise and connect your organisation’s process flows We are thrilled to announce the release of Diagrams, a brand new
©Copyright Inverifi 2023, All rights reserved. Registered in England, No: 06959535, , +44 20 4574 9908
