Good morning,
A company has a very reliable system and over time no security incidents, failures or occurrences are found that justify the opening of non-cconformities processes.
Note: the system is very robust and the demand for using it is much lower than its capacity.
During an audit, can the auditor question the absence of these records (incidents and non-conformities), that is, consider that these events occurred but the company did not record them?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
In fact, such a situation is unusual, but not a sufficient reason for a problem. The auditor will probably make additional checking, considering:
- which conditions you have defined that require opening a non-conformity. For example, in some situations, one or two minor events related to the system may happen, and the system performance still is at acceptable levels, so raising a nonconformity is not required.
- reports on the performance of implemented controls, to check if they were working properly considering the period audited.
Based on the evidence found related to systems performance conditions and reports about controls performance, the auditor may conclude that in fact, the system is reliable enough and that the lack of incidents and non-conformities (or the low number of incidents and lack of non-conformities) is justifiable.
For further information, see:
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
Comment as guest or Sign in
Feb 07, 2023