Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community

ISO/IEC 27001 Audit

Adalnei Gomide Created:   Feb 06, 2023 Last commented:   Feb 07, 2023

ISO/IEC 27001 Audit

Good morning,
A company has a very reliable system and over time no security incidents, failures or occurrences are found that justify the opening of non-cconformities processes.
Note: the system is very robust and the demand for using it is much lower than its capacity.
During an audit, can the auditor question the absence of these records (incidents and non-conformities), that is, consider that these events occurred but the company did not record them?

0 0

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Feb 07, 2023

In fact, such a situation is unusual, but not a sufficient reason for a problem. The auditor will probably make additional checking, considering:

  • which conditions you have defined that require opening a non-conformity. For example, in some situations, one or two minor events related to the system may happen, and the system performance still is at acceptable levels, so raising a nonconformity is not required.
  • reports on the performance of implemented controls, to check if they were working properly considering the period audited.  

Based on the evidence found related to systems performance conditions and reports about controls performance, the auditor may conclude that in fact, the system is reliable enough and that the lack of incidents and non-conformities (or the low number of incidents and lack of non-conformities) is justifiable.  

For further information, see:

0 1

Comment as guest or Sign in

HTML tags are not allowed

Feb 06, 2023

Feb 07, 2023

Suggested Topics