Annex A related non-compliances
Assign topic to the user
Do the inspectors write the findings in the relevant Annex A as evidence, indicating the nonconformities they have identified from Annex A? For example, does the auditor specify "A.9.4.4 by using the number 9.9.4, or by associating it with one of the first 10 items of the standard" in relation to the use of privileged support programs?
Answer: We are unaware about IAF such related recommendations about ISO 27001 audits, but what I can tell you is that non-conformities statements must be as precise as possible, and if an auditor can state directly a control from ISO 27001 Annex A, then he should do it to make the understanding and resolution of the non-conformity easier.
What is common is that, when applic able, the auditor states both controls from Annex A and requirements from the main sections of the standard. For example, non conformities related to control A.7.2.2 (Information security awareness, education and training) may also be associated to non compliance with requirement 7.2 Competence.
Comment as guest or Sign in
Jul 14, 2018