Struggling little bit with Non-Conformance vs Opportunity for Improvement, or Continuous improvement. Do you have any examples, on ISO 27001 nonconformance vs Continuous improvement Something not meeting a requirement of ISO 27001 if taken up as Continuous improvement as an action, will that suffice?
Nonconformities refer to something not meeting requirements, and auditors use the term opportunity for improvement in their report when they cannot find a nonconformity but they want to suggest areas that could be improved, while continuous improvement refers to improve the suitability, adequacy and effectiveness of the ISMS (generally by means of incrementation over normally expected results). Considering that, since treating nonconformities do not aim to increment results, they are not sufficient to evidence continuous improvement. These are some examples you can consider:
- A backup process not being performed according approved policy is an example of non conformity
- Decreasing the acceptable systems downtime objective to becom e more attractive to potential customers is an example of continuous improvement
Hm I would lean to say that a non-conformance of any type is a good input for improvement. As improvement is to make something better you can use a N-C as one of the inputs that give you a continuous improvment. Not all N-C may be improvements as some may turn out to be quick fixes. If we take the backup process mentioned above I think a real improvement here would be to analyze, plan, do then check that your actions have improved and secured the process to a working state.
This is just saying that N-Cs can be one input to your comtinuous improvement. Others could be obtained from brainstorming, needs from internal or external interests.