Non-conformities

1. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties.My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents.Would you consider this a major nonconformity?

Answer: The lack of this single document would not be considered a nonconformity for ISO 27001, because clause 4.2 of this standard does not require the needs and expectations of interested parties to be documented.

2. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10.
My understanding is that there’s no standard requirement for an ISMS Manual document.

Would you consider this a major nonconformity?

Answer:  The lack of an ISMS manual would not be considered a nonconformity for ISO 27001, because clause 4.4 of this standard does not require such a manual to be documented.

Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:  
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/