ISO 27001 - Question nonconformities
We have a question about non-conformities.
We are now awaiting the results from our internal audit, and wonder what of their findings that should count as non-conformities (if any)? Is it only those with risk level "high" or "Critical" that should count as non-conformities, and the other ones as regular risks? Or how do we know how to classify the findings?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that findings do not become nonconformities because they are related to risks, but because they evidence noncompliance with defined rules (e.g., policies and procedures), planned actions (e.g., actions not executed or wrongly executed), or expected results (e.g., missing results or wrong results).
Regarding nonconformities classification, ISO 27001 does not require them to be classified, so you can adopt criteria that best fit your needs. Associating them to a risk level is an acceptable criterion. Certification audits adopt minor and major levels to classify nonconformities, and this is also an option for you.
This article will provide you with further explanation about the classification of nonconformities:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
Comment as guest or Sign in
Sep 02, 2022