Hello, we have recently received reports that some accreditation auditors are not warranting non-compliance with Annex A substances, but rather that the relevant determination should be associated with the first 10 items of the standard. How are technical issues related? The accreditation inspectors claim that this is spoken by the IAF.
Do the inspectors write the findings in the relevant Annex A as evidence, indicating the nonconformities they have identified from Annex A? For example, does the auditor specify "A.9.4.4 by using the number 9.9.4, or by associating it with one of the first 10 items of the standard" in relation to the use of privileged support programs?
Answer: We are unaware about IAF such related recommendations about ISO 27001 audits, but what I can tell you is that non-conformities statements must be as precise as possible, and if an auditor can state directly a control from ISO 27001 Annex A, then he should do it to make the understanding and resolution of the non-conformity easier.
What is common is that, when applic able, the auditor states both controls from Annex A and requirements from the main sections of the standard. For example, non conformities related to control A.7.2.2 (Information security awareness, education and training) may also be associated to non compliance with requirement 7.2 Competence.