Non-Conformity 10.1 and 10.2
1. Since we already have the Templates for the Topic “Non-Conformity 10.1 and 10.2” in our Toolkit, Could you please give some examples of kinds of Non-Conformity.
2. Can the Main Deviations marked by the Lead Auditor in Pre-Audit be taken as Non-Conformities?
Assign topic to the user
1. Since we already have the Templates for the Topic “Non-Conformity 10.1 and 10.2” in our Toolkit, Could you please give some examples of kinds of Non-Conformity.
A good non-conformity statement has three topics:
- observed fact
- requirement not fulfilled
- objective evidence
An example of non-conformity statement may be:
Changes that can affect information security are not being properly controlled, compromising the effectiveness of the control A.12.1.2- Change management Control, and clause 8.2 - Information security risk assessment. Evidence: "The serial number of server *** in the production environment is ABC1234, while the serial number recorded for the same server in the inventory of assets is FGH6789," or "The change made on the server *** at DD/MM/YYYY, according to maintenance schedule plan from Jan-2018 does not identify the change request that authorized the change," and "there is no evidence that a risk assessment was performed for the server change."
- observed fact: Changes that can affect information security are not being properly controlled
- requirement not fulfilled: control A.12.1.2- Change management Control, and clause 8.2 - Information security risk assessment
- objective evidence: "change made on server *** at DD/MM/YYYY" and the lack of risk assessment
You should note that writing a non-conformity requires some level of knowledge of the standard and practice of performing audits.
I suggest you take a look at our free ISO 27001:2013 Internal Auditor Course to know more about audits at this link: https://advisera.com/training/iso-27001-internal-auditor-course/
2. Can the Main Deviations marked by the Lead Auditor in Pre-Audit be taken as Non-Conformities?
A non-conformity is something not performed as planned, or result not expected, which would be a deviation, so you can consider the deviations marked by the Lead Auditor in Pre-Audit as non-conformities
Comment as guest or Sign in
May 27, 2020