Non-Conformity 10.1 and 10.2

1. Since we already have the Templates for the Topic “Non-Conformity 10.1 and 10.2” in our Toolkit, Could you please give some examples of kinds of Non-Conformity.

A good non-conformity statement has three topics:

• observed fact
• requirement not fulfilled
• objective evidence

An example of non-conformity statement may be:

Changes that can affect information security are not being properly controlled, compromising the effectiveness of the control A.12.1.2- Change management Control, and clause 8.2 - Information security risk assessment. Evidence: "The serial number of server *** in the production environment is ABC1234, while the serial number recorded for the same server in the inventory of assets is FGH6789," or "The change made on the server *** at DD/MM/YYYY, according to maintenance schedule plan from Jan-2018 does not identify the change request that authorized the change," and "there is no evidence that a risk assessment was performed for the server change."

• observed fact: Changes that can affect information security are not being properly controlled
• requirement not fulfilled: control A.12.1.2- Change management Control, and clause 8.2 - Information security risk assessment
• objective evidence: "change made on server *** at DD/MM/YYYY" and the lack of risk assessment

You should note that writing a non-conformity requires some level of knowledge of the standard and practice of performing audits.

I suggest you take a look at our free ISO 27001:2013 Internal Auditor Course to know more about audits at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

2. Can the Main Deviations marked by the Lead Auditor in Pre-Audit be taken as Non-Conformities?

 A non-conformity is something not performed as planned, or result not expected, which would be a deviation, so you can consider the deviations marked by the Lead Auditor in Pre-Audit as non-conformities