We had a question come up regarding ISO 27001 and minor non-conformities. I’ll enter it below hoping that someone from the training team may be able to answer it for us.
Question we have;
We have a certified facility that had a few minor non-conformities during its last surveillance audit.
The audit provider gave the ISMS team until June 2023 to address them. They had 90 days to supply a fix.
Did that mean they needed to report back to the auditor with the remediation by June?
Or do they need to provide evidence that they were addressed by June at their next Audit coming up in March 2024?
So, does that ISMS team need to proactivity reach out to their auditor with the evidence that the non-conformities have been fixed?