Save 50% on the EU GDPR toolkit with a one-year
Conformio Professional subscription
LIMITED-TIME OFFER – ENDS JANUARY 26, 2023

Expert Advice Community

Guest

ISO 27001 - Question nonconformities

  Quote
Guest
Guest user Created:   Sep 02, 2022 Last commented:   Sep 02, 2022

ISO 27001 - Question nonconformities

We have a question about non-conformities.

We are now awaiting the results from our internal audit, and wonder what of their findings that should count as non-conformities (if any)? Is it only those with risk level "high" or "Critical" that should count as non-conformities, and the other ones as regular risks? Or how do we know how to classify the findings?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 02, 2022

Please note that findings do not become nonconformities because they are related to risks, but because they evidence noncompliance with defined rules (e.g., policies and procedures), planned actions (e.g., actions not executed or wrongly executed), or expected results (e.g., missing results or wrong results).

Regarding nonconformities classification, ISO 27001 does not require them to be classified, so you can adopt criteria that best fit your needs. Associating them to a risk level is an acceptable criterion. Certification audits adopt minor and major levels to classify nonconformities, and this is also an option for you.

This article will provide you with further explanation about the classification of nonconformities:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 02, 2022

Sep 02, 2022

Suggested Topics