Controls implementation

While we think this is a good recommendation and would like to implement it later, we would like to defer it during our Stage 1 and Stage 2 audits. The reason not to implement it initially is the time to get all departments on board with this and all documents updated is going to be a huge effort and the 4th quarter is a stressful time of the year for our business. Our stage 1 audit is the end of November.

Will we get a non-conformity, especially a major one, if we elect not to incorporate this in our SOA for the aforementioned reason?

Answer: You can leave some of the controls for the implementation for after the auditing under the following conditions:
1) That you have implemented before the audit the controls that mitigate the biggest risks – in other words, you can leave only less important controls for after the audit
2) That yo u have specified the deadlines for the controls that you will be implementing after the audit in your Risk Treatment Plan – of course, those deadlines must be after the audit date
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the audit

This means that the most important controls must have ”implemented“ status at the audit, while the less important controls can have status ”planned“ or ”partially implemented“ at the moment of the audit. Of course that for controls with status of ”partially implemented” you have to keep evidences of activities already performed regarding the implementation (the auditor won't audit the control, but he will verify if the implementation plan is being executed).

This material will also help you regarding controls implementation:
- Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/