Limited-time offer
Lock in 2024 prices now for ISO 27001 toolkits, course exams, and software!
This offer is valid until December 19, 2024.

Expert Advice Community

Guest

Annex A related non-compliances

  Quote
Guest
Guest user Created:   Jul 14, 2018 Last commented:   Jul 14, 2018

Annex A related non-compliances

Hello, we have recently received reports that some accreditation auditors are not warranting non-compliance with Annex A substances, but rather that the relevant determination should be associated with the first 10 items of the standard. How are technical issues related? The accreditation inspectors claim that this is spoken by the IAF.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 14, 2018

Do the inspectors write the findings in the relevant Annex A as evidence, indicating the nonconformities they have identified from Annex A? For example, does the auditor specify "A.9.4.4 by using the number 9.9.4, or by associating it with one of the first 10 items of the standard" in relation to the use of privileged support programs?

Answer: We are unaware about IAF such related recommendations about ISO 27001 audits, but what I can tell you is that non-conformities statements must be as precise as possible, and if an auditor can state directly a control from ISO 27001 Annex A, then he should do it to make the understanding and resolution of the non-conformity easier.

What is common is that, when applic able, the auditor states both controls from Annex A and requirements from the main sections of the standard. For example, non conformities related to control A.7.2.2 (Information security awareness, education and training) may also be associated to non compliance with requirement 7.2 Competence.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 14, 2018

Jul 14, 2018

Suggested Topics