ISMS audit fidings

First, it is important to note that, considering ISO 19011, the standard used for auditing ISO management systems, audit findings can be conformity, nonconformity, opportunities for improvement, and recommendations (i.e., there is no definition for observation in the standard as an audit finding).

As for minor and major NC, these definitions are normally used by certification auditors, to differentiate NCs that impact mandatory documents, or systematically affects the management system, from punctual NCs that do not affect the general operation of the management system.

The difference between an NC and observation is that for the second one you do not have enough evidence to support a non-conformity statement. In this situation, an auditor can make an observation to the organization so its staff can decide to work on an evaluation to identify if further work has to be done. It also can be used by another auditor in another audit to verify if the situation has evolved to a well-based non-conformity or not.

For further information, see:

• Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

This course can give you further information about internal audit:

• ISO 27001:2013 Internal Auditor course https://advisera.com/training/iso-27001-internal-auditor-course/