Expert Advice Community

Guest

Non-Conformity 10.1 and 10.2

  Quote
Guest
Guest user Created:   May 27, 2020 Last commented:   May 27, 2020

Non-Conformity 10.1 and 10.2

1. Since we already have the Templates for the Topic “Non-Conformity 10.1 and 10.2” in our Toolkit, Could you please give some examples of kinds of Non-Conformity.

2. Can the Main Deviations marked by the Lead Auditor in Pre-Audit be taken as Non-Conformities?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 27, 2020

1. Since we already have the Templates for the Topic “Non-Conformity 10.1 and 10.2” in our Toolkit, Could you please give some examples of kinds of Non-Conformity.

A good non-conformity statement has three topics:

  • observed fact
  • requirement not fulfilled
  • objective evidence

An example of non-conformity statement may be:

Changes that can affect information security are not being properly controlled, compromising the effectiveness of the control A.12.1.2- Change management Control, and clause 8.2 - Information security risk assessment. Evidence: "The serial number of server *** in the production environment is ABC1234, while the serial number recorded for the same server in the inventory of assets is FGH6789," or "The change made on the server *** at DD/MM/YYYY, according to maintenance schedule plan from Jan-2018 does not identify the change request that authorized the change," and "there is no evidence that a risk assessment was performed for the server change."

  • observed fact: Changes that can affect information security are not being properly controlled
  • requirement not fulfilled: control A.12.1.2- Change management Control, and clause 8.2 - Information security risk assessment
  • objective evidence: "change made on server *** at DD/MM/YYYY" and the lack of risk assessment

You should note that writing a non-conformity requires some level of knowledge of the standard and practice of performing audits.

I suggest you take a look at our free ISO 27001:2013 Internal Auditor Course to know more about audits at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

2. Can the Main Deviations marked by the Lead Auditor in Pre-Audit be taken as Non-Conformities?

 A non-conformity is something not performed as planned, or result not expected, which would be a deviation, so you can consider the deviations marked by the Lead Auditor in Pre-Audit as non-conformities

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 27, 2020

May 27, 2020

Suggested Topics

Guest user Created:   May 26, 2023 ISO 27001 & 22301
Replies: 1
0 0

Non-Conformity in RR

Guest user Created:   Nov 17, 2022 ISO 27001 & 22301
Replies: 1
0 0

Controls 10.1.1 + 10.1.2